Business Friendly

kurtdkurtd Junior Member

Really like 1Password but here are the things keeping me from on-boarding more users.

  1. Secret Key... Cannot have users writing down their master password on a PDF containing the secret key. I do not want a secret key at all. My users should only need to know their username, master password, and have a 2FA token. At that point if they get locked out, an admin should be able to disable 2fa or reset their password.

  2. Invention Email.... It's not very professional. Seems to be designed from a personal \ family account perspective. That wouldn't be a problem if it were customizable but it doesn't seem to be so can you at least make it better?

  3. Integration with Azure Ad for SCIM and SAML would be nice without requiring 3rd party tools and apps.

1 is my main concern, I don't think I can move forward when there are other options out there that don't have this requirement even though I'd prefer 1password over the others.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member

    Hi @kurtd

    Thanks for sharing your perspective here. The Secret Key, as a core part of how 1Password operates and protects your data. For 1Password, it provides significantly more benefit than 2FA. This is because the primary way 1Password protects your data is encryption, not authentication, and the Secret Key strengthens the encryption, whereas 2FA only affects the authentication process. If you were going to forgo one 2FA would be the one to forgo. Administrators can assist users who have lost/forgotten their credentials via the account recovery process. I'd be happy to put you in touch with our security team if you'd like to discuss in more detail, if that is something you're interested in. That said, if ultimately the Secret Key is a deal breaker, I don't think that's an objection we'd be able to overcome.

    Regarding the invitation email, do you have any specific feedback I could share with the team on this? I believe this is a standard template used for all of our business customers, and as such it wouldn't be customizable on an individual basis (unless/until that changes), but there may be room for discussion on changing the template.

    As for integrating Azure AD using the SCIM Bridge: could you please elaborate on the concern there? The SCIM Bridge itself is a 1st party offering from 1Password.

    Thanks!

    Ben

  • kurtdkurtd Junior Member

    If the secret key is not going away then the least you could do is stop instructing business users to Print it, Put it on USB, or store it in a Safe Deposit box. Why spend so much time on security only to have this document floating around. For business users, I think it would be fine to only have the secret key stored in their 1password app. An admin can always reset it if they get locked out.

    Lets say the admin's name is John. This doesn't sound like something an admin would say:

    John is using 1Password!
    John wants you to join them on 1Password!

    The Azure page says I need to set up a scim bridge first https://support.1password.com/scim-azure-ad/
    The Scim bridge page offers a few options https://support.1password.com/scim/
    When I view the instructions for a competitor, it looks like you only need to configure the enterprise application in Azure.

  • BenBen AWS Team

    Team Member

    If the secret key is not going away then the least you could do is stop instructing business users to Print it, Put it on USB, or store it in a Safe Deposit box. Why spend so much time on security only to have this document floating around. For business users, I think it would be fine to only have the secret key stored in their 1password app. An admin can always reset it if they get locked out.

    I think there is some valid criticism there. I'll be happy to share that with the team for further consideration.

    Lets say the admin's name is John. This doesn't sound like something an admin would say:

    John is using 1Password!
    John wants you to join them on 1Password!

    Thanks for that. I just sent myself a test invitation and indeed I can see where this thought comes from. I'll bring this up with the team as well.

    The Azure page says I need to set up a scim bridge first https://support.1password.com/scim-azure-ad/
    The Scim bridge page offers a few options https://support.1password.com/scim/
    When I view the instructions for a competitor, it looks like you only need to configure the enterprise application in Azure.

    Gotcha. Yes, the SCIM Bridge is required, but it is a 1st party solution (i.e. it is created by 1Password). If you'd like I can ask our integrations team to jump in with additional details on why it is required.

    Thanks.

    Ben

  • kurtdkurtd Junior Member

    1Password works fine for my family and a few people in the IT department but I don't think I can deploy it to more users unless something changes with the Secret Key as mentioned above. This forum is nice but it would also be nice to be able to vote on feature requests.

    The email template I can probably get around by using the hidden link. SCIM, I'll probably hold off on for now so the only issue stopping me from adding users is the secret key.

    Thanks

  • john_mjohn_m

    Team Member

    Hi @kurtd! Ben has passed on your feedback to the relevant teams here; if there's anything else he or I can do for you, just let me know! :+1:

  • kurtdkurtd Junior Member

    There's one other item that I've mentioned on the forum before that bothers me and that's the mixing of personal and business data. I don't like how your personal or work master password unlocks both accounts. There should be an option to keep them separate so that you could have both accounts added to the apps but work password only unlocks work data and personal password only unlocks personal vaults.

    I get around this by using 1passwordx for personal accounts and the normal app for work while at work and the opposite while at home. Works for me but to roll this out to more users, I'd rather have a policy or setting I could change to modify the behavior as mentioned.

  • BenBen AWS Team

    Team Member

    Thanks @kurtd. That's something we've gone back and fourth a bit on, but we do have some ideas that we'll likely do some testing on. In the meantime separating via 1Password X vs the desktop app is likely the best solution, and is actually what I personally do as well (in addition to separate Chrome profiles).

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file