SAML integration for 1Password login

I understand that 1Password will not implement 2FA authentication. Is SAML integration on the roadmap?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:SAML

«1

Comments

  • PilarPilar

    AgileBits Team Member

    Hi @Farhan

    Thank you for writing to us with your concerns.

    I understand that 1Password will not implement 2FA authentication.

    If you have a 1Password Account you have an Account Key, your Account Key works similarly to two-factor authentication, but is much more powerful. You can read more about it here: https://support.1password.com/understanding-account-key/. This article explores and explains the advantages of an Account Key over the normal 2FA.

    I would like to hear your thoughts about this, and if there's anything on this article that doesn't convince you about the benefits of the Account Key over 2FA. :chuffed:

  • JacobJacob

    AgileBits Team Member

    @Farhan Thank you for the suggestion! To add to what Pilar said, we've gotten a few requests for SAML/SSO before and it's not something we're considering right now because we recommend that each user on the account create a unique Master Password and not connect that or the account to additional services. Each member also has an Account Key to add a layer of security to things. Hope that helps!

  • The SAML requirement is more for security best practices in Identity Management. We want to be able to terminate access to all applications with a single click. This works for the majority of the applications in our environment. This is something that is required for public companies that have to comply with SOX or service organizations that adhere to SSAE-16 Common Criteria.

    As for the 2FA question. I understand that the 1Password Account Key essentially turns the device itself into the second factor (among doing other things). This may or may not be equivalent to a traditional disconnected 2-factor authentication keyfob or mobiledevice-based token. A proper assessment will require threat modeling the 1Password solution. Perhaps certifying it with a respected penetration testing firm and publishing the report publicly would be a good idea to put an end to this never ending conversation.

    PS: Apologies if you have already gone through a third-party security assessment and I am unaware of it.

  • brentybrenty

    AgileBits Team Member

    @Farhan: No worries! You make some excellent points. 1Password Families/Teams is HIPAA compliant, and we've contracted with a number of companies (and continue to do so) to perform risk analyses and penetration testing. And you can also read the details of the security architecture for yourself in our white paper.

    But more relevant to your specific needs is that individual devices can be deauthorized from the web interface, and most importantly, the user or any Admin/Organizer can reset the credentials to prevent them from being used if they may have been compromised — either by suspending the account or setting it for recovery. I know it's not exactly what you're asking for, but these are systems which are in place today. And we'll certainly continue to explorer other avenues as well. Thanks so much for your feedback! :)

  • Perhaps the feature that would satisfy the OP without compromising 1p's Master Password model would be automatic provisioning and de-provisioning APIs. I, too, would like to be able to create a 1p invite directly from my IdP, add the user to some groups based on my IdP's directory configurations, and then lock out a user when I remove him from the IdP. All without interacting with the 1p web interface (FWIW, your dashboard is lovely, it's just one of dozens I have to interact with when creating/destroying users).

  • JacobJacob

    AgileBits Team Member

    @lordbyron Thanks for the feedback, and the kind words about our dashboard! :chuffed: I can certainly see how it would be useful to have SSO in a case like that, and I'm sure I'd be in the same state as you if I had lots of folks to manage. I've forwarded your feedback to the team, and I appreciate you taking the time to post it.

    ref: B5-1804

  • JacobJacob

    AgileBits Team Member

    Indeed we are! Thanks for noticing. :+1:

  • Our organisation was looking at 1password as an enterprise password management, but its lack of SAML support is definitely a showstopper.

    Also, the argument that Account Key is more secure than 2FA is flawed. Yes, it is stronger in the sense that it is used for encryption as well (if encrypted vault is compromised, you need both the password and Account Key to decrypt), but weaker because it's just a static password, and can be stolen/intercepted much more easily than, say, a YubiKey or trusted mobile phone.

  • Can we get an update on the status of this request? Has SSO/SAML/OAUTH capability been accepted onto the roadmap or is it still being triaged?

  • JacobJacob

    AgileBits Team Member
    edited October 2016

    Hi folks! We don't announce things that are on our roadmap because our roadmap is private. We'll share features and updates with you when they're ready. I'll let the team know you asked about this and that it's important to you. :)

  • brentybrenty

    AgileBits Team Member

    Also, the argument that Account Key is more secure than 2FA is flawed. Yes, it is stronger in the sense that it is used for encryption as well (if encrypted vault is compromised, you need both the password and Account Key to decrypt), but weaker because it's just a static password, and can be stolen/intercepted much more easily than, say, a YubiKey or trusted mobile phone.

    @AUSFestivus: That statement is false. Unless you yourself make it true by intentionally transmitting your Account Key or sharing it with someone else: the Master Password is chosen by you; the Account Key is generated locally on your device when you create the account; and neither is ever transmitted by 1Password. A one-time password can be subject to interception, but the Account Key is just never sent. Also keep in mind that, unlike various security dongles, losing a device authorized with your 1Password Account will, in almost all cases, be irrelevant since your Master Password will need to be known to unlock the app and view your Account Key. And again when we're talking about encryption versus authentication, encryption is math; it strengthens the security of your data in a concrete way, and isn't subject to social engineering attacks. You can read more details on how all of this works in our white paper. I hope this helps!

  • HI All, we'd also like to request SAML integration. That would make it much more attractive for organizations like the one I work for. Thank you

  • JacobJacob

    AgileBits Team Member

    Thank you @brandenstanke! I'll let the team know you're interested. We'll post updates here if we have some.

  • Guys,

    When you work in an environment that has a hundred + employees you need something a little more manageable or that could at least integrate into something like Auth0 or AD.. I can see several people asking about SAML integration and guess what - not having it is causing a pain that would drive me to look at another solution. Appreciate the comment about top secret roadmap, but this is a standard these days? Is this seriously being considered?

  • BenBen AWS Team

    AgileBits Team Member

    It is certainly being discussed and the feedback is taken seriously. Unfortunately that still doesn't mean I can make any promises at this stage.

    Ben

  • I think that brenty is missing the point about the underlying 2-Factor requirement. When I go to the website to sign in, I am asked for three pieces of information: Email, Account Key, Master Password. These are all things that I know so they do not constitute separate factors. If the first factor is something I know, then the second factor should come from something that you are (e.g. biometric), which isn't really relevant here, or confirming you physically have something. Sending an SMS confirms you have a phone (well, sort of...https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/ ) and a one-time time-based code generator (e.g. Duo, Google Authenticator) confirms that you have a particular device. The service doesn't have 2-Factor authentication - just a single factor that's really long.

    On the SAML side, my interest is not about authentication but authorization. If we want to have multiple vaults mapped to teams and we're managing team membership centrally, then SAML can take care pushing group membership over to you. Without it, then you're just another place that I need to maintain authorizations which will drift. The result is that people will have access to secrets that they are not supposed to access, not because the authentication is weak, but because the 1Password for Team administrator may have missed something in the configuration.

  • brentybrenty

    AgileBits Team Member

    I think that brenty is missing the point about the underlying 2-Factor requirement. When I go to the website to sign in, I am asked for three pieces of information: Email, Account Key, Master Password. These are all things that I know so they do not constitute separate factors. If the first factor is something I know, then the second factor should come from something that you are (e.g. biometric), which isn't really relevant here, or confirming you physically have something.

    @egauthierscout: If you actually know your Account Key, I'm impressed. I sure don't! :lol:

    In all seriousness though, I understand what you're saying. It is a bit of an apples-and-oranges comparison though since the Account Key isn't chosen by the user, is generated randomly, is almost certainly not known by anyone, and is actually used to strengthen the encryption of your data, not merely to serve as a barrier to account access. I'm not saying that multifactor authentication isn't useful, only that what you're describing serves a very different function. More on that later.

    Sending an SMS confirms you have a phone (well, sort of...https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/ ) and a one-time time-based code generator (e.g. Duo, Google Authenticator) confirms that you have a particular device. The service doesn't have 2-Factor authentication - just a single factor that's really long.

    As you alluded, SMS really isn't secure at all, and doesn't really prove anything (since it is subject to spoofing, person-in-the-middle attacks, and outright theft). Transmission is a key and necessary function of many flavours of multifactor authentication, and the reason we didn't start with that is because, again, this is only a hurdle to account access, rather than stronger security. In conjunction, however, I think it can be useful.

    On the SAML side, my interest is not about authentication but authorization. If we want to have multiple vaults mapped to teams and we're managing team membership centrally, then SAML can take care pushing group membership over to you. Without it, then you're just another place that I need to maintain authorizations which will drift. The result is that people will have access to secrets that they are not supposed to access, not because the authentication is weak, but because the 1Password for Team administrator may have missed something in the configuration.

    I couldn't have said it better myself. While this doesn't represent a majority of the userbase, you're right on that in some cases (especially large companies), organization and logistics can be the enemy of security, so better tools to manage things would be tremendously helpful there. Thank you for making this point! :)

  • Just adding my voice for SAML/directory integration. Have used 1Password personally for years, but without the ability to use it with our identity management solution, we can't roll it out. I understand you want to keep your roadmap secret, but if enterprise customers can't even say if directory integration will be done, let alone a rough ETA, how are we ever able to table it for approval? I can't say let's wait if I don't know if it's ever going to be available, so we're stuck with buying less salubrious solutions...
    As for 2FA vs Account Key: you say it's like comparing apples and oranges (with which I agree), but, again, unfortunately, those apples are required by many corporate environments (and nice as Duo is, we'd like some other options!).

  • brentybrenty

    AgileBits Team Member

    @fhilmer: Even if we were to announce that "feature X" (2FA? SAML?) is coming and give an estimate on release, I'm sure you can relate to the fact that these things never go according to plan. We'd rather wait and have something concrete to offer than set everyone (ourselves included) up for disappointment. Thanks for letting us know how important this is to you, and for your passion for 1Password! I hope we'll be able to offer these in the future, but it would be no small undertaking so we don't want to get anyone's hopes up in case it doesn't work out.

  • If you are looking for solutions on how to implement SAML I would strongly suggest you have a chat to these guys! Auth0 - https://auth0.com/

  • brentybrenty

    AgileBits Team Member

    Thanks! That's certainly one possibility. :)

  • Hi all,

    Just throwing my support behind some sort of authentication integration. It's literally the only thing keeping us from rolling out 1Password to (potentially) up to 1000+ users. As one can imagine, the inability to automate terminating access is a huge blocker. With an AD or SAML integration we'd be able to automate suspending access. I'd rather not trust humans with something as sensitive as terminating access to password vaults :)

  • khadkhad Social Choreographer

    AgileBits Team Member

    Thanks for letting us know you’re interested in this, @ClayG! I can completely understand why you'd want it. :)

  • Lack of SSO is the biggest pain point with 1password. We're streamlining our on-boarding with every app, but 1password is still a pain to get people in the system. Please focus on either SAML support or Oauth with Google.

  • FrankFrank

    AgileBits Team Member

    Thank you @jsutton78 for the feedback and for letting us know this is important to you. We will do our best. I apologize for not having a timeline when or if this will be implemented but I will make sure to let the team know. Have a great day and thank you again for sharing.

  • rickfillionrickfillion Junior Member

    AgileBits Team Member

    @jsutton78 : if your interest in SAML is to put SSO in front of 1Password for provisioning/deprovisioning of 1Password accounts, I can tell you that that's not in the cards. There are interesting use cases for SAML + 1Password, but our security model is such that we can't put SAML in front of 1Password itself.

    What are you using as your central user directory system? We certainly want to make provisioning/deprovisioning of 1Password accounts easier, but due to how our security works we have to tackle this a little differently.

    Rick

  • We are standardizing on Google as our directory.

  • rickfillionrickfillion Junior Member

    AgileBits Team Member

    Good to know. Active Directory and Google seem to be the popular ones these days.

    Rick

  • I would like to add my vote for agilebits being a SAML identity provider. I'd love to propose 1pass for teams for my company but this is a sticking point. We have every reason to move away from our current provider and many of us use 1Pass personally.

«1

Leave a Comment