Access control for Teams

Comments

  • DariusR
    DariusR
    Community Member

    I've come to agree with most of how this has been rationalized to date. It's the major reason I made the switch to Teams for myself and a few organizations.

    With that said, there are needs for Teams users that are not covered by what's in place:

    2 factor encryption doesn't solve for access control. 2 factor authentication does.

    In an organization you have to consider the following:
    A) Users can't be trusted to show effective operational security or due dilligence
    B) Potential attack vectors could come from users within the organization
    C) An organization, partially as a result of the user base, needs to be able to restrict access

    Teams is missing some key functionality around access control. There are ways this could be solved though with or without 2FA.
    -IP table rules that allow an admin to restrict initial app login and new web based login to trusted IP's for instance. With this in place we could require an employee to be in our office or be given access to a corporate VPN. This means we can control for the device they're accessing the platform from.

    I feel there needs to be a more focused conversation on the unique needs of businesses with employees, were trust is implied but not implicit, around authentication and access control.

    I'm sure you guys have talked about this. Is there anything in the pipeline?

    Duo Security has been great, but it's been implied that this might not stay.

  • DariusR
    DariusR
    Community Member

    It might not seem like much but simply have an restriction where logins are only accepted from a whitelist of IP's would solve for most of concerns about rolling this out to the rest of our teams.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @DariusR: Thanks for bringing this up! Since this pertains specifically to 1Password Teams and isn't limited to multifactor authentication I think it makes sense to have this as a separate discussion that category. I hope that's alright. :)

    You raise some really good points about different security measures that could be added. It was really important to us (and, frankly, to our customers) to start with a solid foundation of encryption-based instead of authentication-based security since we all want our data to be secure even if the encrypted database is stolen. So while right now Duo is a beta limited to 1Password Teams Pro accounts and is used for account access (rather than app authorization), that's similarly foundational to ensure that things like the admin console (where you can send invites, set permissions, or nuke your team) get those benefits without having to hamper day-to-day use.

    But you're right that for some taking it even farther is wanted, so while I can't divulge anything about unreleased stuff, this is indeed an area we're exploring. Nothing to announce at this time, but I suspect we will have more to share in the future. :sunglasses:

  • DariusR
    DariusR
    Community Member

    I know its only been a few months but is there anything you can divulge about the direction this may be heading?

    The extra $6/user/month with Duo Security to get IP restrictions is pretty rough, particularly since it only works with browser based login.

    We're holding back most of the company on 1Password4+Dropbox since it is surprisingly still more ideal for us than chancing someone accessing the platform from outside of our offices or from a non-company device.

  • Hi @DariusR,

    We have a policy of not talking about roadmaps beyond what's in beta. I can understand that this could be frustrating, but the last thing I would want to do is to make you think that a certain feature is coming when it's still uncertain.

    Rick

This discussion has been closed.