I want MFA, but I can't have it.

edited May 2020 in Business and Teams

Hi, I can't wrap my brain around this and would like a different perspective. I'll do it bullet wise because that works for me.

  • We use a scim bridge to have control over provisioning user accounts between Active Directory/Okta and 1password.
  • The scope is to acces the vaults online through a browser preferably through Okta. Apps or clients are not in scope yet.
  • Company policy demands the use of MFA. We can set it in Okta or in 1Password.
  • When I set MFA in Okta for 1Password on the application level, users can circumvent it by browsing to the url directly.
  • When i set MFA in 1Password, it gives me this. (last remark)

I thought the scim bridge is nothing more then a way to provision users from one platform to another. Since SSO isn't even possible because SAML isn't supported I don't understand where MFA should be configured. Please help.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • BenBen AWS Team

    Team Member

    Hi @Sander1974

    Thanks for taking the time to write in with this concern. At present the SCIM bridge requires a user account within your 1Password membership that cannot have MFA enabled. As such the SCIM bridge is currently incompatible with enforcing MFA for the entire organization. At present, the best solution would be to take a look at which users do not have MFA enabled for 1Password and follow up with those users directly. We are looking at how we can address this so the SCIM bridge can be utilized while MFA is enforced, but we don't have a way to do that at present.

    I would suggest getting in touch with your account manager (or [email protected] if you aren't sure who that is) to let them know you're interested in using the SCIM bridge and also enforcing the use of MFA. That way if we make progress on that they can reach out to you.

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.


  • Thanks Ben,

    Just a small follow up question. What authenticator apps are supported in 1Password?

    I found this in the documentation:
    Google Authenticator
    Microsoft Authenticator

    But I was wondering if it is limited to these. Thanks.


  • BenBen AWS Team

    Team Member


    The list is non-exhaustive. We use the TOTP (time-based one time password) standard, so any app that supports that standard should, in theory, work. :) Beyond what you have listed I have personal experience using the Yubico Authenticator app, and I've also heard Duo offers an app that can generate TOTP codes though I don't have first hand experience with that.


  • @Sander1974 Check out Raivo OTP. It's iOS only but well made and you can even export your OTP entries if you get a new phone.

  • ag_anaag_ana

    Team Member

    Thank you for the suggestion :+1::)

  • ag_audreyag_audrey

    Team Member

    Hello everyone!

    We're super excited to announce that 1Password now supports enforced two-factor authentication while using automated provisioning 🎉

    You can read more about enforced MFA and our other new features in our blog post: https://blog.1password.com/improved-automated-provisioning/

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file