Simple Table Of Subscription vs License Features?

Now that macOS Catalina's Safari browser won't support the 1Password extension I have to upgrade to 1Password 7. I've read dozens and dozens of posts on this forum about the subscription (rental) vs license model and I'm happy that AgileBits is offering both. What I haven't been able to find is a simple table stating the functional differences between the two.

I use 1Password on multiple macOS computers and an iOS phone. I've used iCloud sync for years and have never had a sync problem. If I make a change in one app it appears quickly in the others. Therefore, the web access is not appealing to me.

The only description I've been able to find is the following statement in the, "Purchasing a standalone license" dialog in macOS.

Some features are only available with a 1Password membership, like multi-factor security, web access, data loss protection, and daily accounts.

That is kinda vague (some, like).

Thanks!

  • PS 1: 1Password's security White Paper is interesting. https://1password.com/files/1Password-White-Paper.pdf
  • PS 2: In the forum posts I read I saw complaints about the subscription model because it is analogous to renting software. Arguments were made that other software companies use the word subscription as AgileBits does. While that is accurate it think the point has been missed. I also think there is an implication that before subscriptions the only option was a license, which isn't correct. The old method of creating predictable income for a software company was called maintenance and support. One would buy a perpetual license and then pay annual maintenance and support which would entitle them to bug fixes, new features, and personal support. My biggest hesitation about a 1Password subscription is making my data accessible from the web. 1Password is the safe place that I put information that I would not put anywhere else. Making that available via the web seems like a bad idea. Just like our power-grid being connected to the Internet seems like a bad idea. Obviously for security reasons I'm leaning heavily toward a license. But, I'd really like to know the exact functional differences. In the end if I choose a perpetual license I would be very open to the idea of a AgileBits support and maintenance plan.

1Password Version: 6.8.9
Extension Version: Not Provided
OS Version: 10.15.2
Sync Type: iCloud

Comments

  • BenBen AWS Team

    Team Member

    Hi @Limabean

    We don't offer any such comparison, as licenses aren't something we're marketing anymore, and frankly such a table would be a bit of a nightmare to build and maintain. 1Password membership is the way forward. As I'm sure you might imagine we're all big security and privacy experts here, and we all use 1Password.com.

    I'm glad to see you've found the white paper. It has a ton of details in it. You have secrets - we don't. :) If you have any questions not addressed there we'd be happy to help.

    Ben

  • LimabeanLimabean
    edited January 30

    Thanks for the reply @Ben . The main things I'm trying to understand are (1) who has the ability to decrypt my data and (2) who has access to my data when it is decrypted.

    1) Who can Decrypt
    In the following forum discussion the following statement is made by @khad .
    https://discussions.agilebits.com/discussion/67782/thoughts-on-licenses-vs-subscriptions/p2
    _
    Recover accounts for family or team members who have forgotten their Master Passwords.
    No more explaining to people who have forgotten their Master Password that they need to start over from scratch.
    _

    At first this set off a red flag because it seems AgileBits might have a way to decrypt data. Then I saw the following support topic.
    https://support.1password.com/forgot-master-password/

    I think what is happening is that all family/team members are able to add new family/team members so as long as one family/team members still has access someone who forget their master password can be added and allowed to set a new master password. In my case I don't plan on adding family members or team members, therefore, I believe there is no way to recover a lost master password. Is that correct?

    2) Who Has Access to Decrypted Data
    Next web access. How are servers secured? The white paper says, "We’re sorry. This section of this document is not yet ready. Anything you see in this section is at most an outline of things to come." Even though data is encrypted between the client (me) and the server (you) my master password is eventually stored unencrypted in memory and my decrypted vault is stored unencrypted in memory. Unencrypted data could also be stored to disk for a short period of time. Therefore, the security of my data depends on the physical security of the facility. If AgileBits is renting servers, or server space, the security of my data also depends on the employees of the company AgileBits is renting from. These are some of the reasons I avoid web based services unless web access is a strong requirement. For my use case of 1Password it is not. Since you said membership is the way forward I assume I can't opt out of storing my data on the web. Is that correct?

    • If I subscribe to 1Password is their anything that I must do through the web with my master password?
    • If I subscribe to 1Password and only use the iOS and macOS 1Password software is my master password ever sent off my computer?
    • If I subscribe to 1Password and only use the iOS and macOS 1Password software is my vault ever decrypted off my device?

    I believe that for the older 1Password license model the answer to all three questions is no. Correct?

    Thanks!

  • BenBen AWS Team

    Team Member

    @Limabean

    We (AgileBits) do not have access to your encryption keys, and as such cannot decrypt your data. It is not possible to recover the Master Password for an individual account. No decryption is done on the server - it is all done in the client (e.g. your web browser or one of our native apps). Also note that the native apps work with 1Password.com, and so there is really very little (if anything) you need to do via the web interface if you don't want to, particularly for an individual membership. Your Master Password never leaves your device, even when using the web interface.

    Does that help? Please let me know.

    Ben

  • Thanks for your reply @Ben , it does help. The last topic is server security. I see in the white paper it is listed as a risk in (2) of section Crypto over HTTPS. And, in "Vulnerability of server data". What I don't see is any information on how AgileBits mitigates that risk. How do we know that the JavaScript delivered to my browser hasn't ben manipulated by a third party?

  • BenBen AWS Team

    Team Member

    That's a fair question, @Limabean, and frankly the answer right now is that you don't. On the other hand as mentioned above you really don't have to use the web interface for the situation you outlined, if:

    • You set up an individual account AND
    • You pay via Apple (through either the Mac App Store or the iTunes App Store)

    In that case the web interface could be avoided entirely if desired. On the other hand I think it is worth considering that 1Password is likely one of the strongest links in the chain. One of the ways in which we may be able to address this concern in the future is through code signing, but the availability of that for JavaScript/web clients is currently fairly limited.

    Ben

  • Thank you very much for having this exchange with me @Ben . The information you shared has been very helpful.

    Let's hope that W3C and Ecma close the hole on JavaScript soon. In the interim it would be good for AgileBits to complete the section of the white paper that describes your server security. And, AgileBits should setup a warrant canary as discussed here.

    It appears that AgileBits uses Amazon AWS. Amazon does not appear to use a warrant canary. Given the huge market share that AWS has and the lack of warrant canary I assume the US federal government has access to whatever AWS data they want.

    However, with the information you have provided there are ways to use 1Password and completely avoid the web. Thanks.

  • BenBen AWS Team

    Team Member

    You may be interested in the information that we provide for law enforcement. The system is designed such that even with access to the servers there isn't a way for someone to read the data customers are storing in 1Password. Again, even we cannot access your data.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file