Is it possible to disable 1password login on the personal device?

riyazstormx
riyazstormx
Community Member
edited January 2023 in Business and Teams

Is it possible to disable 1password login on the personal device?
Can we restrict 1password login to only one device?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: macOS 13.1
Browser:_ chrome
Referrer: forum-search:Is it possible to disable onepassword login on the personal device? Can we restrict onepassword login to only one device?

Comments

  • Hi there @riyazstormx

    Can you tell me a bit more about the motivation behind this? If you're the only person who knows your account password (which is how it should be), then you can choose not to sign in to other devices. No one else can sign in to other devices anyway because they don't know your sign-in details.

    Let me know what you're looking for here and I'll be able to help.

    — Grey

  • riyazstormx
    riyazstormx
    Community Member

    Hi @GreyM1P
    Here we are using 1password shared vaults to store secrets & Credentials for our team. In our company devices are fully monitored by our security team so no one can compromise our secrets or credentials but if they can log in from their own personal devices maybe they can copy & paste because those devices are not monitored. We cannot track them so is not safe.

  • @riyazstormx

    In this context, there's no way to limit what 1Password accounts can be added to a 1Password app. If you're concerned that an employee might steal company secrets through their own 1Password accounts, that's more of a policy concern and a bit outside our scope as a result.

    Our recommendation is to strictly limit access to any shared vaults to those who absolutely need them, and to provide individual logins for a service to each employee if possible.

  • Lars
    Lars
    1Password Alumni

    @riyazstormx - I wanted to follow up on what my colleague @GreyM1P wrote above with another suggestion (and maybe a question). If what you are trying to prevent is employees being able to sign into your company 1Password account from personal devices, there are indeed some steps you can take.

    The first one I want to show you is Firewall Rules. Those are quite powerful (indeed, take care or you can create a situation where some people cannot sign in at all). There, you could restrict sign-ins to only certain IP addresses (that you control) and no others. This would have the effect that people traveling might be prevented from signing in on new devices from hotel or conference wi-fi, but that wouldn't affect their ability to access the 1Password data they already have on their device, only changes/syncing.

    However, I do want to remind you of the unavoidable fact that neither we nor anyone else to date have figured out a way to allow you to both share and not-share a secret with someone else simultaneously, if you take my meaning. It may well be that taking the steps I outlined with Firewall Rules is a reasonable precaution for your situation. But if what you're worried about is malicious actors copy/pasting credentials or other secrets from your company 1Password account, no amount of firewall rules will prevent such an intentional bad actor from simply revealing the passwords to various assets and writing them down on a piece of paper. I don't know your threat model, and for that and other reasons it's not my place to tell you what you should do, but I'd be remiss if I left you with the impression that any of this would be a guarantee of protection against a truly malicious insider threat. The bottom line is that best practices are to rotate the credentials of any account member who either leaves the organization or of whom you suspect potential malice. That's the only way to be certain credentials - especially shared ones - are not used maliciously.

    Hope that helps!

  • riyazstormx
    riyazstormx
    Community Member

    @Lars @GreyM1P Great support, Ok I will look into that Firewall Rules
    thanks

  • @riyazstormx

    You're very welcome. If you ever need anything from us at 1Password Support, please do contact us. We'll be here to help. :)

  • rob29384059
    rob29384059
    Community Member

    I think the use case is to help protect against compromised endpoints. 1P running on an managed work laptop can be expected to be safer than, say, 1P running on a shared home computer. You can have a written policy preventing employees from install 1P on an unmanaged device, but you could also require admin approval to authorize new devices.

  • Hi @rob29384059,

    Thanks for sharing your use case for this feature with us. While I can't promise if, or when, it may be implemented, I appreciate you contributing to 1Passwords evolution.

    Thank you,

  • Maverick0984
    Maverick0984
    Community Member
    edited March 2023

    In light of yet another LastPass security breach, and as a corporate customer of 1Password, I feel this should be something implemented in the solution.

    Addition of vaults should be approved by the Admin and it should be fairly straightforward to be honest.

    Policy alone, is not sufficient as there is no ability to police it or have any knowledge of where it is installed. Terminating an individual for violating policy after the company is compromised because their personal PC was compromised doesn't solve the problem. As the decision maker on this at my company, we might be forced to go to a different solution that our IT department can enforce controls on.

  • Hello @Maverick0984

    Thanks for sharing this with us. I'd like to highlight your comments to our product team, but that can work better if I've emailed with you first. Can you send an email to businesssupport@1password.com from the email address you used to set up your 1Password account? Include a link to this post and your forum username so I can get everything together.

    Thank you and have a great weekend!

This discussion has been closed.