Feedback regarding 1Password security features

zygis
zygis
Community Member
edited October 23 in Business and Teams

This is a bit of a rant, but I will be as constructive as possible.

We have been using 1Password for almost two years since migration from LastPass. There are a few things that bother me as a person who is responsible for the security of the company.

  1. Bad defaults and no way for admins to set them for the users.

Autolock after 10 minutes. What is the best way to ensure people use easy-to-type and remember passwords to unlock the 1Password browser extension? Yes, make them enter it as many times a day as possible.
After 1Password outages or some updates, some settings are reset to the bad defaults. Also, settings don't sync across the user devices.
What we get from this is that the 1Password browser extension is almost always locked. If people don't see the 1Password value, they type a commonly used password instead and don't bother with the password manager.

Feature request 1: Allow for admins to set default auto lock settings for all users in the company or control settings for each user individually.
Feature request 2: Sync user settings across the devices.

  1. Employee/Private vault.

This default vault to save items is costing us a lot of effort. The main problem is that, out of the box, we see no metrics on what is happening in those vaults. The suggested solution by a 1Password employee during the onboarding was to "ask people to send watchtower screenshots each week."
So, we took a different approach. We created vaults for each user and asked them to put their credentials there. But there come bad defaults and a lack of configuration options. If you set a different vault as the default vault to save items, it might reset back to the "Employee/Private" at any time.
That rename from "Private" to "Employee" somehow went from bad to worse. It seems a more logical place to save the items. But from a security standpoint, we see nothing.

Feature request 3: Ability to disable Employee/Private vaults for the business account. Or make that vault accessible in the same way as any other vault created by admins.

  1. Watchtower report mess.
    Let's say I see bad metrics in watchtower reports in the user vault, then I ask the user to address the problems. The next day, I go to the reports, and I see the same metrics, and I assume that nothing was fixed right? Not necessary! For watchtower reports to renew, the user should log in once again after 24 hours. If you add to this problem No 1 in this list, this might not happen any time soon. If the user sets to auto lock to never, this also might not happen. As a security person, I'm very active on 1Password, but in the business watchtower report, my user vault is shown with the Zzz icon. I used that vault to save credentials for this community forum like 15 minutes ago. So, can I trust watchtower reports? No.

Feature request 4: Watchtower reports should be updated at least several times a day.

  1. Vulnerable passwords.
    There is no way to control what passwords should be considered as weak/vulnerable. CompanyName123 CompanyName2024 SiteName2024 is a good password according to watchtower and won't be seen in any reports. Probably commonly used English passwords are covered, but other languages are out of the scope.

Feature request 5: Allows the management of company dictionaries or patterns for weak/vulnerable passwords.

I wrote those questions to the account CSM a few months ago, but answers what I got are about the same thing. This is done for security reasons, end-to-end encryptions, zero knowledge, etc. But it feels like AgileBits are more interested in their own security, not ours, who pays the bills.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • xio
    xio
    Community Member

    Business functionality has a junior feel; it will take time to develop in a balanced fashion. However, as 1Password Business was introduced in 2018, you'd hope we'd be a little further by now.

    Admin Defined Auto-Lock Settings, +1; honestly, I asked for this years ago.
    Sync User Settings, +1, makes sense.

    Employee Vault Access for Administrators/Owners, little squirm. Technology shouldn't tie your hands in business; gaining visibility to passwords can make the difference between a business being operational or not. Other considerations include E2E, Secret Keys, User Education regarding Vault Saving, Password Security, etc. Some of these workings are fundamental to the security design of 1Password, and I don't think we'll see any backdoor access for a whole host of "good" reasons.

    With the above in mind, I believe it's more feasible to introduce controls to disable Private/Employee vaults and, maybe, redirect them to a "Personal ("Shared") Private/Employee Vault", perhaps with more limited ACLs (i.e. Owners, and at their discretion Administrators).

    As an Owner/Administrator, you always have the option to recover an Employee and impersonate them, but this is a massive chore.

    In the latter part, I think Business Engagement just needs to improve a bit to understand what is working/not working/limiting; I've had numerous AMs/CSMs over the years, all of them want to engage and then they're replaced 6-9 months later, it makes maintaining relationships rather difficult.

  • ag_tommy
    ag_tommy

    @xio

    If you'd like to email the team we can work to connect you with your AM/CSM should you wish to do so.

    support+forum@1password.com

  • rob29384059
    rob29384059
    Community Member

    +1 agree with Xio here. 1P Business feels a little half-baked. Enforcing autolock and syncing settings are the bare minimum of what would be expected. Disabling private vaults for biz accounts is a no-brainer as well. Custom dictionaries for watchtower reports along with a reliable mechanism for running them that doesn't require the user to login again are also great ideas.

  • rob29384059
    rob29384059
    Community Member

    The admin tools are lacking, and the 1PB as a business product as a whole seems pretty thin. There are other (closed) threads on many of these, but some of them still jump out at me. Let me know if I'm misunderstanding any of them, but here we go:

    1. No policy to enforce autolock.
      Come on.

    2. Suggesting MDM to manage your own client settings is borderline insane, and doesn't even support Windows (a popular desktop OS).

    3. No native ability to restrict adding 1P to new devices.
      Deploying Yubikey or Kolide is a big deal for a small shop. Just add the ability for admins to approve new devices before they can be used.

    4. No ability to physically separate TOTP codes from credentials.
      see: https://1password.community/discussion/137475/vault-app-access-should-include-plugin-as-an-option

    5. No ability to disable identity autofill on specific URLs.
      ERP/CRM and other LOB apps look like ecommerce sites to 1P; it keeps on trying to autofill address and payment info. We still want to fill logins, just not identity info.

    6. No "online only" permission for specific vaults.
      this would help with session theft other security problems; could set this for end-users who don't need offline access to corporate shared items. Perpetual travel mode might be a workaround here, but then you lose access to the real travel mode feature.

    (There is a lot to like about 1P Business (SCIM bridge works well to address 1P's access challenges, SSO works natively with common IdPs, SIEM integrations (almost) make up for the limited reporting tool, but the above issues seem in many ways easier to address, so their absence is all the more conspicuous.)

    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Browser: Not Provided