Feature Request - 1Password for Teams Security Enforcement

Hello 1Password. I may be wrong, but it seems admins cannot force certain security settings for user accounts on either the apps or web interface. I feel it would be very beneficial from a security point of view to allow admins of team accounts to be able to force auto-lock and the other security features available for the 1Password applications. As of now, it seems end users have control over their application's settings and can turn off certain key security features which many admins may want to ensure are always enabled or disabled. Some include, Touch ID settings, conceal passwords, Auto-lock and clear clipboard contents after a certain amount of seconds.

Being able to adjust these settings using a group structure would be great too as admins may want to adjust certain security settings for specific users. I hope this can be implemented in the near future because many end users have a tendency to turn off security features to be less inconvenienced and do not realize they are putting sensitive information at risk!

Thank you,
Alfredo


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited September 2018

    @alfredomontalvo: Indeed, 1Password Teams/Business permissions aren't meant give you control over people's machines, only their access to data through the vault permissions you grant. We can certainly consider adding these kinds of features in the future, but it wold be helpful to know specifically what you're trying to achieve. Can you elaborate? What benefit do you imagine there would there be to you being able to determine the "conceal" setting for others, for example?

  • JimmyJetset
    JimmyJetset
    Community Member

    For me, it would be very useful to set a global exclusion list for autosaving from certain sites. We inevitably end up with lots of saved logins for some sites that people just shouldn't be saving logins for, e.g. personal email or personal logins for our business sites. Unfortunately, a lot of our users aren't that tech-savvy and so just press save when the prompt comes up, saving it straight into one of the shared vaults. So being able to specify domains that 1Password will never save from would be very useful.

  • Hrmm... I think that might be counter-productive @JimmyJetset. Don't get me wrong... I see why you wouldn't want an individual's hotmail.com credentials stored in a shared vault. But I think trying to achieve that via these means might cause more problems than it solves.

    My concern here is that the users wouldn't necessarily be aware of that exclusion list. This would mean that their web experience would start being inconsistent. Sometimes they'd get a save dialog, sometimes they wouldn't. This achieves your goal, but at the expense of trust in the software. Users would likely not interpret this as a feature, instead they'd likely see it as failing of our app. That alone isn't a problem that you should need to worry about, but what'd be more concerning is that the user might then start assuming that 1Password won't ask to save a password on a site you absolutely do care about. This is where it starts harming you. If 1Password can't be trusted to prompt to save a password, then the motivation to use a true random password there goes to zero.

    I think that a better solution to this problem is More 1Password, not Less 1Password. With 1Password Business we offer free 1Password Families accounts to all users in the business account. By giving everyone 2 accounts, and explaining to them that their personal stuff belongs in their 1Password Families account you start having your cake and eating it too. The users can then develop better password practices at home (cause let's be honest... if they're using fluffybunny as a password at home they'll probably use it for something important at work too) which benefits you.

    I hope this helps.

    Rick

  • JimmyJetset
    JimmyJetset
    Community Member

    Fair enough Rick, that all makes sense, thanks for the reply.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Likewise, thanks for sharing your thoughts on this. It's certainly an interesting problem. :)

  • alfredomontalvo
    alfredomontalvo
    Community Member

    Hi @brenty - I just realized I never finished my reply to this months ago! Sorry!

    I'd like to have more administrative control for team member accounts. For example, in my 1Password for Mac preferences, I can adjust my security settings to my own preference. But the issue is if an end user in our organization turns off the "Clear Clipboard contents" setting or other security settings. Ideally, our IT team wants this setting always on for every user in our organization. Same for "Conceal passwords" and the auto-lock settings. Considering end users can download 1Password on a personal computer and login with their company team account, we want to make sure that certain security settings are forced to protect company login details or other entries stored in 1Password from being accessed on unauthorized computers. Also, allowing the use of Touch ID is something we would prefer to review rather than be forced to allow for our employees. If someone uses 1Password on a personal phone, it can be easily accessed by using someones finger. My ex girlfriend got into my phone this way once when I was sleeping. If this isn't allowed in our organization, then we would know the Master password would be required every time and a user's vault would be secure unless they gave the password to someone. Considering, shared vaults is a thing it's a slight risk in my opinion if sensitive information in a shared vault can be accessed this way on a mobile phone.

    Granted, this is being extra cautious and may not be useful to all companies or team accounts, but it would be nice to have the extra control over security settings. I know there are a lot of companies that like things super secure such as financial companies, etc. I wouldn't want to control people's computers, but if these settings can be forced upon login to the app so they are "greyed out" and can't be changed by a standard team member who isn't an administrator, that is what I'm after. :smile: I hope this makes more sense now.

    Thanks,
    Alfredo

  • Hello @alfredomontalvo,

    Thanks for the feedback! Being able to limit your team member's access this way is definitely an interesting idea. We are looking for ways to improve the business memberships.

This discussion has been closed.