Last year, I looked at a few of the different methods enterprises could employ for a passwordless experience. One option was password vaulting, which is ideal if you use websites or older applications that lack the ability to use SAML or OAuth.
I covered some of the bigger names that offer password vaulting products, such as Okta and Google. I wanted to look at another name that most people are familiar with in the consumer space that offers password vaulting, 1Password.
Why password vaulting is worth thinking about
The top reason to use password vaulting is to reduce password reuse—all you need to remember is the vault’s password rather than a password for each separate account. A 2018 online survey done by Google showed that 52% of respondents admitted to reusing a password multiple times, an additional 13% said they used one password for ALL of their accounts.
Vaulting can be a way to protect your organization and get better buy-in from employees who might be disinclined to use MFA and other security features due to the poor user experience they can sometimes create.
Additionally, not all apps and websites support modern authentication, like federation, requiring users to still remember unique passwords for those apps.
What 1Password offers organizations
This vendor does more than just consumer password vaulting, offering 1Password Business and Enterprise Password Manager products. Confusingly, both offer the exact same services, the latter is just for enterprise-sized organizations, which means a custom quote versus the $7.99/mo. cost of 1Password Business.
With 1Password, users and groups get access to vaults, which contain their passwords and related account information. A local copy of the vault is saved onto the device, which users can consult if they need a specific password. To speed up the process of inputting passwords into login pages, users will also need to install the browser extension (available for all major browsers) that will allow them to autofill credentials.
With group vaulting, entire teams within an organization get access all the same accounts needed for that group. For example, you might set up a group vault for your social media team because they all need access to the same Twitter and Sprout accounts. With group vaulting, admins will create the vault and add the necessary users to it and what permissions each user may have (i.e., allow viewing, allow editing, allow managing). Users will maintain their own Master Password, which they use to access their 1Password app and all the vaults. When a user is added to a group vault, their client will download the encrypted vault key and vault items, which can be decrypted by the user’s private key.
1Password uses what they call a two-secret key derivation. This means that in order to access a vault, you need the account key (a 26-character key that is computer generated when first signing up and stays on the specific device) and the Master Password. If an employee is fired, you’ll need to remove them from a vault and change all the passwords contained therein. This is because the former employee could still access the local copy of the vault on their device until they connect to the internet again (removing users causes 1Password to sync with the user’s devices and remove the vaults from the device).
Let’s look at the admin side of things for 1Password. Admins can provision users into 1Password through an integration with IdPs like Azure Active Directory and Okta via SCIM. This integration isn’t for authenticating to your password vault, though—users still type in their Master Password for that. 1Password Business creates custom reports that allow admins to learn how the product is being used within the organization. They can see what passwords were accessed recently, alongside info on who it was and when. Admins will have an audit trail to know any and all actions taken by each account. Another feature admins get is Watchtower, which provides an alert if a website your organization uses has reported a data breach, as it’s integrated with the Pwned Passwords API.
1Password recently unveiled a new feature for admins called Advanced Protection. With it, they can develop policies and rules for the Master Password—maybe you want it a certain length, include upper/lowercase letters, symbols, and numbers. This doesn’t include rotation rules as it’s quite an involved process to reset a password as it doesn’t completely change the personal keyset (user would have to request a new personal keyset to properly re-encrypt a vault).
1Password has no access to company data, so they cannot see the master password or account key for users. To prevent a user from being completely locked out of their account, 1Password recommends the use of a Recovery Group, which has access to multiple vaults and can assist with password recovery, if a user forgets their password.
Additionally, admins can require 2FA when a user adds 1Password Business to a new device. Advanced Protection also provides more in-depth reports, compiling sign-in attempts, outdated apps, and more.
Who is 1Password ideal for?
We saw that they offered a business and enterprise-focused product and wondered about the customers that actually used it. We can see some use cases where tools like 1Password fits into the market. As mentioned, it could to work alongside an existing SSO deployment, for apps that either aren't integrated yet or don't support any federation standards. Federation and SSO can be a lot of work, so in many cases, it takes a while to expand deployments beyond an organization's main apps. If you're not using an IDaaS that comes with its own password vaulting features, a freestanding product like this would be good for peace of mind for the rest of your apps.
Most often, 1Password Business and Enterprise seem ideal for smaller organizations; the customers referenced on their website are small to mid-size companies. A small business might know they need to manage passwords, but they might not be sophisticated enough to deal with things like SAML just yet, making password vaults an ideal option.