You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Coming from 1Password, one of the features I liked from it is that it was able to talk to the 1Password app running on my computer and trigger it to request a TouchID validation before spitting out the passwords.
I used that feature extensively to request credentials just in time when opening shell sessions for various services. For example, when using aws-cli: I made a simple wrapper that got my access key from 1Password, so I could run any AWS commands, and it would prompt for a quick TouchID and then I'm good for that shell session. That way I have a secure workflow where a rogue app can't just exfiltrate my passwords unnoticed.
We're on an enterprise plan with SSO and 2FA, so at the moment the best I can do is open up a browser to log in and paste the login token back into the terminal, and set it to remember 2FA forever. And I still have to do the SSO step for every single command, so if I need to get multiple passwords, I need to repeat this multiple times as well.
The text was updated successfully, but these errors were encountered:
Thanks, that will do as a workaround for now. But now there's not a whole lot protecting my vault: any rogue script or program on my machine can pretty much just request any password, or steal the tokens from the JSON config. I'd definitely prefer that there's at least one forced interaction factor. I'm looking to approve any use of the password manager interactively, either a password, or better, one derived from biometric authentication.
If any script can just request any password, then I might as well be storing my password in a spreadsheet or in config files. At least the attack surface for this would be only my few API keys.
Coming from 1Password, one of the features I liked from it is that it was able to talk to the 1Password app running on my computer and trigger it to request a TouchID validation before spitting out the passwords.
I used that feature extensively to request credentials just in time when opening shell sessions for various services. For example, when using
aws-cli
: I made a simple wrapper that got my access key from 1Password, so I could run any AWS commands, and it would prompt for a quick TouchID and then I'm good for that shell session. That way I have a secure workflow where a rogue app can't just exfiltrate my passwords unnoticed.We're on an enterprise plan with SSO and 2FA, so at the moment the best I can do is open up a browser to log in and paste the login token back into the terminal, and set it to remember 2FA forever. And I still have to do the SSO step for every single command, so if I need to get multiple passwords, I need to repeat this multiple times as well.
The text was updated successfully, but these errors were encountered: