Any way to restrict by IP Address?
We used to use OneLogin for our password management, because it offered us the ability to restrict by IP address for certain groups or persons. Does 1password for teams also offer this? I couldn't find it anywhere on the site or literature.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@jhargrove: No. It isn't possible to restrict by IP address with 1Password.com. It's something we can consider, but IP addresses can also be spoofed. And since most people's IP addresses change over time anyway, it would only be possible for very few people to use a feature like that. And regardless of IP address, the Master Password and Secret Key are needed both for authentication and to decrypt the data locally. 1Password's security is built on encryption rather than security measures which could be bypassed. However, 1Password Teams Pro accounts have a beta Duo authentication feature, which can require a second factor when connecting from new locations. And it's something we may expand in the future as well. Thanks for bringing this up!
0 -
That's what I thought, thank you for the clarification!
0 -
On behalf of brenty you are most welcome. :)
Ben
0 -
Hello! I would also be interested in ip restriction. I think it should be technically possible across both desktop and web and just because ips can be spoofed isn't a reason to not do it. In the enterprise, ip restrictions are commonplace. I see this as being implemented such that 1Password only unlocks if the password matches AND the ip matches. Therefore, to bypass the enterprise restrictions it has to be someone who was previously authorized and intentionally wants to skirt the restriction. However, it does satisfy the use case of preventing an unwitting employee (who isn't motivated or knowledgeable enough to spoof their ip) from taking their laptop home against company policy and trying to access company resources in an insecure environment. To me, that's a win.
0 -
However, it does satisfy the use case of preventing an unwitting employee (who isn't motivated or knowledgeable enough to spoof their ip) from taking their laptop home against company policy and trying to access company resources in an insecure environment.
But it doesn't. ;)
If the company's resources are accessible externally then that's a conscious business decision which 1Password can't help with.
Many companies prohibit direct external access unless via an organisational VPN - this is considerably more secure. And, if a company doesn't wan't an employee accessing the resources externally then they don't give them VPN access (or limit the access).
In your (no-VPN) scenario all an employee would need to do is copy/remember the password and they'll get in.
0 -
@aktive0 - it's an interesting idea, and one we've kicked around, but ultimately we've chosen not to pursue at the present time for largely the reasons @gazu mentions -- if your company chooses to make resources externally available, that's something it's just not appropriate for us to try to help prevent (especially when whoever is making the decisions at your company about such things (CIO? CTO? CISO?) has explicitly allowed those resources to be available externally.
0 -
Thanks for the responses. Here's our reality. We are a small business trying to grow and have security like a big Enterprise. We use SSO where we can and use 1password for the rest. A lot of our third party saas/web services either don't have an on-prem/ip/vpn restriction or are not cost effective for us to pay for that tier of service.
I found out recently that some team members had installed 1password on their home devices which are not secured by company policies. This has now increased our risk profile and could have been mitigated by a control via 1pass. Thoughts?
0 -
I would recommend reaching out to our business sales team at
business@1password.com
with this use case and feedback. BYOD is becoming increasingly popular in business environments, but there may be cases where it isn't appropriate. Our business sales team would be in the best position to advocate internally for any sort of change in this regard. :)Thanks.
Ben
0 -
We are a small business trying to grow and have security like a big Enterprise.
To have enterprise-grade security you need VPN-controlled access.
It's cheap and highly effective.
I found out recently that some team members had installed 1password on their home devices
The weakest point of security in any business is your staff. If you can't trust insiders then it's game over. :(
Effective HR policies (disciplining those who break them) and regular audits of access logs (plus pro-active suspicious activity alerts) is the way forward.
You earlier said "it does satisfy the use case of preventing an unwitting employee (who isn't motivated or knowledgeable enough to spoof their ip)" but the fact they've installed 1Password suggests your company doesn't get the basic stuff right - i.e. warning staff not to access company resources from home.
If you had a policy in place forbidding home access and some employees have deliberately broken it, this is very serious.
If you're changing the argument to 'but I want a basic technological barrier' (because IPs can be spoofed) then 1Password can't help you. If they know how to install a password manager on their home computer then they'll copy their credentials to a 'password file' outside of your control - arguably much more dangerous. Again, this can be resolved by HR policies and regular audits.
This has now increased our risk profile and could have been mitigated by a control via 1pass.
I beg to differ.
If your employees are motivated enough to install 1Password on their home computers then they want access to company data at home.
If your business wants enterprise-grade security they're going to have to pay for it. I'm not being glib here - if 1Password were to introduce this feature it would give you (and others) a false sense of security.
0 -
@Ben - Thanks, will do. We'd love BYOD, but it complicates our compliance posture.
@gazu:To have enterprise-grade security you need VPN-controlled access.
We have a VPN and SSO, but not all things can be feasibly restricted with those as previously mentioned.
The weakest point of security in any business is your staff. If you can't trust insiders then it's game over. :(
If you're changing the argument to 'but I want a basic technological barrier' (because IPs can be spoofed) then 1Password can't help you. If they know how to install a password manager on their home computer then they'll copy their credentials to a 'password file' outside of your control - arguably much more dangerous. Again, this can be resolved by HR policies and regular audits.There is a difference between trust and people not knowing, or forgetting and making honest mistakes. Sure, we can do better to communicate but yes, I want a basic technological barrier that reinforces the policy. "Hey IT, why can't I access 1password at home?" - "Because that's against company policy, don't do that - and don't do work at home. Spend time with loved ones instead.". "Oh, I forgot, and will do, thanks!". Pretty basic.
Re: audit logs
Does 1password provide audit logs with ip address? If so, perhaps I can write an integration (Does 1password have an API?) to monitor this and alert me if there is access by an unknown ip and this would be a great stop gap! I see activity logs and individual usage reports, neither of which have ip address.
0 -
We do have logs but what level of details is available depends on the plan you're on. The business sales team should be able to assist with that as well. :)
Ben
0 -
Sounds good! :) :+1:
0