Does 1Password for Teams allow request/checkout of passwords, with logging and/or expiration?
Evaluating a couple of password vault type applications. One of the things on the requirements list is a way to grant temporary or logged access to credentials. So, someone could in principle have access to a given data item, but has to request it in a way that produces a log entry showing they obtained that password at that time. I didn't see any mention of such a feature. Does it exist, or is it likely to?
I'm aware that it's very hard to generically prevent users from caching such stuff locally if they really want to, but it's still nice to have the theoretical paper trail.
(One of the neat-looking features I saw one product list was password requests with automated password changes following a user confirming that they were done using the password, which only works with things they have a password-change plugin for, but it's still neat.)
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:checkout
Comments
-
Hi @seebs! Great question. 1Password Teams does have an Activity Log, which keeps track of many events that happen in the team. Accessing an item is not one of those events. We've gotten some requests for it before, and there are a few challenges to implementing it. Mainly offline access, which is something you mentioned. People could access the data offline and if they do, that wouldn't be logged until they go back online, which is how item creation is logged at the moment. You're looking for an audit log showing whenever someone access any passwords, right?
(One of the neat-looking features I saw one product list was password requests with automated password changes following a user confirming that they were done using the password, which only works with things they have a password-change plugin for, but it's still neat.)
That's certainly interesting. What's the goal of it? One-time access to the account? I'm trying to understand when this would be useful for folks. :)
0 -
I think the usual use case is controlled/logged access. Often this is coupled with a checkout mechanism, where you have to indicate that you want a given credential, and then while you have it, no one else can get it (without an admin override of some kind). So you have a guarantee that, if access occurs while Bob has the resource checked out, Bob's the one who did the access.
So instead of "Bob has access, therefore Bob can look at the password at any time", it's "Bob has permission to obtain access temporarily, Bob had access starting at 9:41 AM CDT and kept it for 25 minutes, then returned access. During that window, no one else had access."
And yeah, this would definitely not be a thing you could use offline. But for a lot of credentials, it's impossible to use them without working net access anyway...
0