Read first: Previous version support information

Ability to add users with different permissions

MettleCS
MettleCS
Community Member
in 1Password 4 for Windows

Hi, does 1Password have the ability or consider adding this functionality:

  • Ability to add users to a Vault that can have different permissions than logging in with the Master Password? Specifically thinking of the ability to share Vault with team of other users; but users don't need the ability to view passwords. 1Pass would fill in web forms etc with the password, a random new password can be set and updated in the shared vault if needed for a website, but the user level access never needs to know the actual passwords. When a user no longer needs access their login can be disabled to the shared Vault. They'd still have access to their offline copies / backups I guess, but there would be less impact as they would not know the passwords or the master password. Premium functionality could be added to allow 1Pass to check users with a central (self-hosted) repository of still permitted users, and access to the Vault could be disabled if it could not check the user against this repository. (Or require 2FA)

  • Related to this; user access could be logged, including what sites they were logged into. This could be used with WatchTower like functionality to know what sites passwords should be re-set when that user is not longer with the team.

  • Abiltity to use 2 Factor authentication to log into a Vault?

Thanks, Marco.

Comments

  • MikeT
    MikeT

    Hi @MettleCS,

    1Password isn't a groupware product, it doesn't have that ability to let you control users like this. If it is something we're considering for the future, possibly but we don't release details about our future plans.

    As it is now, 1Password is a standalone product for individual users that have access to vaults based on knowing the password for the vault.

    Ability to add users to a Vault that can have different permissions than logging in with the Master Password?

    You can only control access to vaults through the master password. To separate users, you would need to create separate departmental vaults and share the vault password with them.

    1Pass would fill in web forms etc with the password, a random new password can be set and updated in the shared vault if needed for a website, but the user level access never needs to know the actual passwords.

    That is virtually not possible with any password manager, website has to retrieve username/password in clear text, they can't get encrypted data from any password managers unless there's a deeper integration between the website and the password manager.

    Even if we release a groupware version of 1Password, that won't stop anyone from knowing the username/password through different methods.

    You cannot hide the password data between the website and the password manager, that's just not possible. Even if we conceal the password, that won't stop the browser from revealing the passwords.

    Please understand this because if you depend on this core feature as part of securing your company's data, you will be disappointed. You must keep in mind that this is not possible on a technical level without a massive change to all websites to support your password manager.

    When a user no longer needs access their login can be disabled to the shared Vault.

    Once you disable the access by changing the master password, that will only protect you from new data, it will not prevent the user from having access to prior data. Keep this in mind for your company's security policy.

    Related to this; user access could be logged, including what sites they were logged into. This could be used with WatchTower like functionality to know what sites passwords should be re-set when that user is not longer with the team.

    That's an interesting idea, we'll keep that in mind for the future. However, if you consider everything else that was just discussed, you would be better off changing all the data in the vault the user has access to, not just the selective data they've used.

    Abiltity to use 2 Factor authentication to log into a Vault?

    At the moment, it is not possible with 1Password but might in the future. On its own as a local product, 2FA is not as vital for 1Password as it is for websites but for a groupware version, that would be more important.

This discussion has been closed.