Can someone explain the firewall feature as it doesn't work as I think it should?

Hello @IcarusNYC,

I'm sorry to hear that you're disappointed in the features available in 1Password. I've merged both of your community posts together, but would be happy to discuss all of the issues you've raised, and to share your feedback with our team.

I have the firewall set to my office IP.
However, I'm travelling and I can literally log into my lastpass vault (chrome extension and mobile) from any IP. So basically, it's useless. It seems that the firewall only works to block logins from the website?

The firewall feature in 1Password is often misunderstood. The impression many customers seem to have is that anyone not connecting from a permitted IP should be blocked from accessing their vaults, and as you've noticed, this isn't how the account firewall feature currently works. Before I get into the why, I'd like to clarify what the firewall does. The firewall rules only block connections to our servers, and doesn't impact the ability to use locally cached data in an offline state.

I find examples to help explain this:

• To join a 1Password account, sign in online, or recover account credentials, you must connect from a location that isn't blocked.
• To sign in to a 1Password app or browser extension for the first time, you must connect from a location that isn't blocked.
• If someone has already signed into the 1Password app or browser extension and they try to unlock it from a blocked location, 1Password will allow them access to any data already cached on their device. 1Password will the continue working in an offline state until they are in a location that isn't blocked and are able to reconnect. When they reconnect, any changes made while blocked or offline will sync with the rest of the account and their other devices.

You should also know that:

• The account firewall rules in 1Password business allow for rules that include specific IP addresses, CIDR ranges, and regions to be blocked, allowed, or reported.
• Rules are matched from top to bottom, and stop at the first matching rule. This sometimes means that a configuration could block (or allow) someone from connecting in cases where that isn't expected. To help confirm if this is or isn't happening, it would be best for us to discuss your firewall rules over email. Send a message to businesssupport@1password.com if you'd like to do that. Include a link to this post and your community name. Also reply back here with your ticket number when you get the automatic reply, so I can expedite your case.

As for why the 1Password account firewall works how it does:

Unlocking 1Password is handled locally by decrypting your vaults, and connections to our servers for synchronization purposes is a secondary matter. One main benefit to this approach is that 1Password can always be used offline, even if you are away from an internet connection, or if our servers are offline. It also means that the 1Password app isn't arbitrarily restricting access to data that is already on a device and could be manually decrypted by a savvy user.

For more information, you may find our How vault permissions are enforced in 1Password accounts support article to be interesting.

If a user installs on Mobile or extension they are free to login to their vault from any IP.

If there are specific vaults you wish to block from being accessed offline, 1Password does have the ability to restrict which apps can access specific vaults. Limiting access in this way may help to prevent offline access to the vault data. See our support article on creating and sharing vaults for 1Password teams and business: https://support.1password.com/create-share-vaults-teams/#manage-app-access

Prohibiting mobile installs for users. Lastpass has this and this allowed us to prohibit installs of the Lastpass app mobile phones

1Password doesn't currently offer a feature to block team members from installing or using the 1Password apps, though it can restrict which vaults can be used in any given app if you have 1Password business. Can you share more about how your team uses 1Password and why you'd like to block from using it on their mobile devices? I'd like to better understand your use case, so I can share this feature request with our team.

Groups. Admins and Users are lumped into one group and basically all rules apply to them. With Lastpass we could set up multiple groups and have multiple policies apply to each group. (ips, mobile policy, time out, etc) 1pass doesn't even offer a fraction of that

It is possible to Use custom groups in 1Password Business to control their access to a variety of settings, and the access level in any given vault. Are there any particular features which don't currently operate on a per-group basis that you'd like to see implemented? Let me know and I'd be glad to share this with the team.

All in all, I feel completely foolish for switching to 1password. I think we did it in a moment of frustration with Lastpass breach but ultimately we should have stuck Lastpass.

While I'm probably a bit biased, it's fair to say that you weren't the only one concerned about the recent news. I know it can be frustrating to learn new software, and to find that features you used to use aren't available, but I hope the trade off for strong and reliable encryption brings some value to your team. All of the data in a 1Password vault is encrypted, including (but not limited to) usernames and passwords, one time passwords, item titles, web addresses, notes, custom fields, and attachments. Our staff can't see this information, and if our servers were ever to be breached, the attackers wouldn't be able to see any vault data without the Secret Key and account password needed to decrypt an account.

We're always interested in hearing about feature requests, rough edges, and other aspects of 1Password you'd like to see improved, so please feel free to continue discussing this with me here on our community site, over email.

Have a wonderful weekend.

Hello @IcarusNYC,

Thanks for sharing this with me. Since you've mentioned emailing into our support team, I'd be glad to continue the conversation there. When you send the message, you should get an automatic reply with your ticket number. Post it here so I can quickly locate your ticket and connect our two conversations.

Thank you,