Turn off browser viewing for teams
Hi there.
We are interested in using 1Password for teams. Now it might is a nice thing to have to watch/create/edit passwords in the browser but we are scared about this feature. Any way to turn that team-browser feature off?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: kb:private-by-design, kb-search:team browser, kb:teams-admin-getting-started, kb:code-signature, kb-search:browser
Comments
-
Hi @mbiert,
Thanks so much for considering 1Password Teams for keeping your team secure and organized!
I’m not entirely sure I understand your concern here, could you tell me a little bit more about where your worry is coming in? Do you want to disable the ability for users to view the 1Password Teams data in a browser, or disable the ability to use the browser extension?
1Password Teams already has some awesome permission controls so that you can determine which users can create items, which users can see details, and which users can only fill items (without the ability to see what those passwords are). These permissions will apply whether you are using the web interface or the 1Password apps. You can learn more about this in our support pages:
0 -
Hello @Megan
Thank you for your reply.I'm looking for the ability to disable for all users to view the 1Password (Teams) DATA in a browser. We do like the Web Interface Admin Console. But we don't want any Vaults Data (Passwords, Usernames, Domains etc.) to be available/visible if using a browser.
0 -
Hi @mbiert,
At this time, that feature is not available, I would be happy to pass your request along to our developers.
Have you read the White Paper that described 1Password Teams’ security? The information there might help to reassure you that viewing the information in a browser is secure. :)
0 -
Can agile bits assure that 1password is 100% secure?
No.
And don't believe any company that tells you otherwise.
There is no such thing as "100% secure." But if you've read our white paper you know that we take the security of your 1Password data extremely seriously. So seriously that even we do not have access to it, ever. The only way to decrypt it is with the Master Password of a user who has access to it. We back that up with the Account Key, which is also needed to decrypt the data (but generally only needs to be entered once per device). The weakest link is users choosing either a weak Master Password, or a Master Password which they also use as a password elsewhere. In order for 1Password to be most secure users must pick strong and unique Master Passwords.
I hope that helps!
Ben
0 -
Hi @bwoodruff thank you for your answer! I know that you take it seriously. That and because of how 1password works and the all the open documents we can look at is the reason why we use 1password. We just have our doubts about the browser feature :(
0 -
Thanks for the feedback. Is there something specific about the web interface that is causing doubts, or is it just the concept of a web-based client vs the native ones?
If there are specific concerns about the implementation we'd like to try and address them, if possible.
Ben
0 -
It's just the concept of web-based client vs the native one. Can you say that the web-based client is same secure as the native app?
0 -
@mbiert We actually took measures to make sure it has more security, since things are being stored on a server. You can learn about them at a skimming level on our security page. If you would like to dive deeper, we spent quite a bit of time writing How 1Password protects your data when you use a sync service, and it has lots of resources as well as additional references to our security White Paper. I hope these help answer your questions, from basic to advanced. :) If you have any others, just let us know.
0 -
@penderworth thank you for your reply. Can you please answer the part:
Can you say that the web-based client is same secure as the native app?
with Yes or No.
While reading your answer above it should be a Yes added with a even more secure.. is that right?
Thank you
0 -
@penderworth I see, forcing the yes puts things into the wrong direction. (Now I should only use the browser cause it is more secure..) While reading some of the documents the WebCrypto API still seems to be in development. That ain't the concern though. To go further into the advanced knowledge I should quit my job and then maybe one day I could find something like the ssh use roaming bug that can leak crypto keys. So what I'm trying to say is: As I pointed above, I believe you guys make a fantastic job! The concern though is, we have no guarantee for security. Showing the data in a web browser is one more way where security could fail!? Please let me know when it will be possible to turn that feature off. Thank you.
0 -
Hi @mbiert,
As we’ve mentioned above, we can certainly pass your request along to our team, but it isn’t possible at this time to say if and when such a feature would be implemented.
I’ve asked our security team to pop in here and share their thoughts. It’s clear that you have some concerns and we want to be sure that you feel confident using 1Password, both in the apps and on the web.
0 -
Thank you @mbiert. That is an excellent suggestion!
As noted in the white paper there are security risks to using the 1Password web-app that aren't present when using a native client. And as you also correctly note, the admin console is what the web-client offers that isn't in the available in the native client. Assuming that the Team administrators are going to use a browser more safely than some of the ordinary team members, it makes perfect sense to want to limit the use of the web-client to team managers only.
I can't promise when (or even if) we will implement your feature request. But I will file it internally right now.
ref: B5-1630
0