Enhancements to activity log to make it more useful

BobW
BobW
Community Member

Looking at the activity log on my Business account, I see things like:

  1. xxx updated items in a vault
  2. yyy authorized their own device
  3. zzz updated items in the Foo Vault

A couple of comments about this:

First, I really need more information; as it is, the log is just not very useful. For example, it's great to know that items were updated, but I'd really like to know what items were updated. For example, if someone changes a password to something stupidly weak, I want to be able to look into the log and see who it was. I also want to watch the stream of item changes for anything fishy. Likewise, it's great to know someone authorized a new device, but it's even more useful to know about the device, e.g., an iPhone in Atlanta, GA, USA, since that would help decide whether activation on that device passes a sanity check (maybe also record basic info about the device, like OS version, so that we can verify any company-specific requirements there, particularly since 1P can't enforce any sort of requirements in this area).

Second, why does the log sometimes show a vault name and sometimes not? Compare items 1 and 3 above. Is 1 when they update items in their private vault? If so, why not just say that? Item 1 is nearly useless information.

Finally, a separate but related request: log more actions! Tell me when a user copied/pasted a password, auto-filled credentials onto a web site, printed an item, shared an item, revealed a password, etc., etc. From a company security standpoint, I want to record just about everything so that if I need to investigate something later, whether because something went wrong or because of an audit, I have the info I need.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @BobW,

    I agree with everything you're saying here. Our activity log needs a lot of love. Let me see if I provide a bit of info behind your specific points just for sake of explanation.

    For example, it's great to know that items were updated, but I'd really like to know what items were updated. For example, if someone changes a password to something stupidly weak, I want to be able to look into the log and see who it was.

    Yeah, I think it'd be great to have this. Right now our auditing event system isn't quite granular enough for this.

    Likewise, it's great to know someone authorized a new device, but it's even more useful to know about the device, e.g., an iPhone in Atlanta, GA, USA, since that would help decide whether activation on that device passes a sanity check (maybe also record basic info about the device, like OS version, so that we can verify any company-specific requirements there, particularly since 1P can't enforce any sort of requirements in this area).

    This too is a great idea. Though I would argue that a better solution to this would be to have us provide a way for you to set those requirements and have us manage that for you so that you aren't having to dig in activity logs to find violators.

    Second, why does the log sometimes show a vault name and sometimes not?

    This basically boils down to whether or not you have access to a vault. When no name is shown, it's because you don't have access to that vault, and without access to the vault we don't have the encryption keys needed to decrypt its name. In the case of Personal/Private vaults we could infer that for you based on the vault's type, but that wouldn't work for other vaults that are created but isn't provided to the admins.

    Finally, a separate but related request: log more actions! Tell me when a user copied/pasted a password, auto-filled credentials onto a web site, printed an item, shared an item, revealed a password, etc., etc. From a company security standpoint, I want to record just about everything so that if I need to investigate something later, whether because something went wrong or because of an audit, I have the info I need.

    Right now this isn't something we can do, but it's something we want to do. At the moment our tracking of item usage is limited in that it only tracks the last usage. We don't have complete historical usage (by design). This is something we want to make much better and we've been looking into technologies that can help us manage that better.

    Rick

  • _pk
    _pk
    Community Member

    I second all of BobW's points. Is there a timeline for when audit logs might see some of these much needed improvements? Are there any of the aforementioned features that you know will never be a part of 1Password? I'm trying to get an idea of where we'll be a year from now in regards to the auditing capability.

  • Hi @_pk,

    We don't share timelines for such things as things change all the time. Sometimes we think a feature is 2 weeks away but ends up being more like 6 months away (and sometimes the opposite). We try to be open to frequent course corrections, which is always going to have an impact on timelines for things.

    Are there any of the aforementioned features that you know will never be a part of 1Password?

    I think they were all reasonable requests and I can't think of a reason that any of them would be specifically ruled out. That doesn't necessarily mean that we'll build them all, but I try to be as up front as possible when something specifically isn't happening.

    Rick

This discussion has been closed.