Can someone explain the firewall feature as it doesn't work as I think it should?
I'm really disappointed in 1pass features overall (coming from Lastpass there were so much better options)
I have the firewall set to my office IP.
However, I'm travelling and I can literally log into my lastpass vault (chrome extension and mobile) from any IP. So basically, it's useless. It seems that the firewall only works to block logins from the website? That's utterly useless.
Can someone please clarify this?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:Chrome firewall
Comments
-
Lastpass refugee here and regretting making the switch. 1pass is not only more expensive but lacks so many business features we had from Lastpass. It's like downgraded heavily.
Firewall only applies to website login into vault. If a user installs on Mobile or extension they are free to login to their vault from any IP. This is a huge, HUGE, oversight.
Prohibiting mobile installs for users. Lastpass has this and this allowed us to prohibit installs of the Lastpass app mobile phones
Groups. Admins and Users are lumped into one group and basically all rules apply to them. With Lastpass we could set up multiple groups and have multiple policies apply to each group. (ips, mobile policy, time out, etc) 1pass doesn't even offer a fraction of that
All in all, I feel completely foolish for switching to 1password. I think we did it in a moment of frustration with Lastpass breach but ultimately we should have stuck Lastpass.
Disappointed.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:Chrome firewall0 -
Hello @IcarusNYC,
I'm sorry to hear that you're disappointed in the features available in 1Password. I've merged both of your community posts together, but would be happy to discuss all of the issues you've raised, and to share your feedback with our team.
I have the firewall set to my office IP.
However, I'm travelling and I can literally log into my lastpass vault (chrome extension and mobile) from any IP. So basically, it's useless. It seems that the firewall only works to block logins from the website?The firewall feature in 1Password is often misunderstood. The impression many customers seem to have is that anyone not connecting from a permitted IP should be blocked from accessing their vaults, and as you've noticed, this isn't how the account firewall feature currently works. Before I get into the why, I'd like to clarify what the firewall does. The firewall rules only block connections to our servers, and doesn't impact the ability to use locally cached data in an offline state.
I find examples to help explain this:
- To join a 1Password account, sign in online, or recover account credentials, you must connect from a location that isn't blocked.
- To sign in to a 1Password app or browser extension for the first time, you must connect from a location that isn't blocked.
- If someone has already signed into the 1Password app or browser extension and they try to unlock it from a blocked location, 1Password will allow them access to any data already cached on their device. 1Password will the continue working in an offline state until they are in a location that isn't blocked and are able to reconnect. When they reconnect, any changes made while blocked or offline will sync with the rest of the account and their other devices.
You should also know that:
- The account firewall rules in 1Password business allow for rules that include specific IP addresses, CIDR ranges, and regions to be blocked, allowed, or reported.
- Rules are matched from top to bottom, and stop at the first matching rule. This sometimes means that a configuration could block (or allow) someone from connecting in cases where that isn't expected. To help confirm if this is or isn't happening, it would be best for us to discuss your firewall rules over email. Send a message to businesssupport@1password.com if you'd like to do that. Include a link to this post and your community name. Also reply back here with your ticket number when you get the automatic reply, so I can expedite your case.
As for why the 1Password account firewall works how it does:
Unlocking 1Password is handled locally by decrypting your vaults, and connections to our servers for synchronization purposes is a secondary matter. One main benefit to this approach is that 1Password can always be used offline, even if you are away from an internet connection, or if our servers are offline. It also means that the 1Password app isn't arbitrarily restricting access to data that is already on a device and could be manually decrypted by a savvy user.
For more information, you may find our How vault permissions are enforced in 1Password accounts support article to be interesting.
If a user installs on Mobile or extension they are free to login to their vault from any IP.
If there are specific vaults you wish to block from being accessed offline, 1Password does have the ability to restrict which apps can access specific vaults. Limiting access in this way may help to prevent offline access to the vault data. See our support article on creating and sharing vaults for 1Password teams and business: https://support.1password.com/create-share-vaults-teams/#manage-app-access
Prohibiting mobile installs for users. Lastpass has this and this allowed us to prohibit installs of the Lastpass app mobile phones
1Password doesn't currently offer a feature to block team members from installing or using the 1Password apps, though it can restrict which vaults can be used in any given app if you have 1Password business. Can you share more about how your team uses 1Password and why you'd like to block from using it on their mobile devices? I'd like to better understand your use case, so I can share this feature request with our team.
Groups. Admins and Users are lumped into one group and basically all rules apply to them. With Lastpass we could set up multiple groups and have multiple policies apply to each group. (ips, mobile policy, time out, etc) 1pass doesn't even offer a fraction of that
It is possible to Use custom groups in 1Password Business to control their access to a variety of settings, and the access level in any given vault. Are there any particular features which don't currently operate on a per-group basis that you'd like to see implemented? Let me know and I'd be glad to share this with the team.
All in all, I feel completely foolish for switching to 1password. I think we did it in a moment of frustration with Lastpass breach but ultimately we should have stuck Lastpass.
While I'm probably a bit biased, it's fair to say that you weren't the only one concerned about the recent news. I know it can be frustrating to learn new software, and to find that features you used to use aren't available, but I hope the trade off for strong and reliable encryption brings some value to your team. All of the data in a 1Password vault is encrypted, including (but not limited to) usernames and passwords, one time passwords, item titles, web addresses, notes, custom fields, and attachments. Our staff can't see this information, and if our servers were ever to be breached, the attackers wouldn't be able to see any vault data without the Secret Key and account password needed to decrypt an account.
We're always interested in hearing about feature requests, rough edges, and other aspects of 1Password you'd like to see improved, so please feel free to continue discussing this with me here on our community site, over email.
Have a wonderful weekend.
0 -
Thank you for your reply.
The firewall feature in 1Password is often misunderstood
If the firewall feature in 1Password is often misunderstood, it may be helpful to have it explained more thoroughly/clearly in that area. This way, users can fully understand its purpose and make the most of its capabilities. Clear and concise explanations can help ensure that the feature is used effectively and provides the intended benefits.
_ One main benefit to this approach is that 1Password can always be used offline,_
Lastpass has a feature to block offline access. 1password should follow based on what 1password is charging. This feature should be applicable on a per group basis. For example, I don't need my employees to have offline access but as a CEO, I appreciate it when travelling.Can you share more about how your team uses 1Password and why you'd like to block from using it on their mobile devices?
Regarding the blocking of installs of mobile password apps for employees. I understand that this feature may seem restrictive to some users, but I believe it is an important security measure for our company.
By preventing employees from installing password managers on their personal devices, we can better control the access to our sensitive information. It helps ensure that our company's passwords are not stored on unsecured devices that may be lost, stolen, or otherwise compromised. I appreciate your understanding in this matter, and I believe that this feature is an important aspect of our overall security strategycurrently operate on a per-group basis that you'd like to see implemented?
Ip restriction. Admins should not be restricted for IP. For example, a CEO travelling should not have to VPN each to get around the Ip restriction. But since your ip restriction ONLY applies to initial install (which should be mentioned clearly in your Firewall area), this point is moot. It's my opinion your firewall feature needs either a. proper explanation or b. an overhaulI plan to email your business support team to provide more detailed feedback, but I wanted to express my hope that 1Password will consider expanding its feature set to better match with LastPass and justify 1passwords cost.
0 -
Hello @IcarusNYC,
Thanks for sharing this with me. Since you've mentioned emailing into our support team, I'd be glad to continue the conversation there. When you send the message, you should get an automatic reply with your ticket number. Post it here so I can quickly locate your ticket and connect our two conversations.
Thank you,
0