Teams and Businesses

Best practices for securing your 1Password Business account

Learn how to set up 1Password Business in a way that will protect your information and make sure you and your team can always access your account.

When you sign up for 1Password Business, your account is already protected by a suite of features designed to make it difficult for anyone to access your team’s information. You can follow the steps below to create policies within your organization and adjust settings within 1Password that will add additional layers of security and redundancy to your account.

Table of contents

Foundational settings and processes

Add at least one additional owner

You should have at least two owners in your account to guarantee redundancy for certain account-level permissions and capabilities. Owners are:

  • Capable of deleting your entire 1Password account and all data within it.
  • Able to recover accounts for people who have lost their Secret Key or account password.
  • The only people who can add another team member to the Owners group.
  • Able to authorize the 1Password support team to make changes to billing information.
  • The only people who can access and manage any shared vault that’s created in the account, including vaults created by people who are no longer in the account.

It’s critical to make sure you can recover an owner’s account if necessary. Learn how to implement a recovery plan for your team.

Tip

If a team member creates a shared vault containing important information, and no other person has permission to view the vault, an owner can grant access, ensuring data continuity.

Consider account recovery permissions and email administration

Owners and administrators can recover accounts for team members and create custom groups to give group members permission to recover accounts. It’s crucial to the security of your 1Password instance that the permission to recover accounts isn’t given to people and groups that have administrative access to the email systems of your organization.

When someone’s account is recovered, that person receives an email with a link to begin recovery. A malicious person with email administration access and the ability to recover 1Password accounts within your team could assume control of someone’s email inbox, recover their 1Password account, and take over their account. If someone uses this approach to sign in to your account as an owner, they could cause substantial damage, potentially deleting the entire 1Password account.

1Password uses email to invite people to your account and to recover their accounts if they lose access. When someone starts an account recovery for a team member, they should verify the identity of the recipient through means other than email and make sure that the team member completes the account recovery.

Set an account password policy early on

You can set minimum account password requirements for your account. Before you invite your team, create an account password policy. The policy isn’t retroactively enforced, so people who join your 1Password account before the policy is set will only be required to adhere to the policy if they change their password or if their account is recovered.

Tip

The account password protects your data on your device. It needs to be as strong as possible, but also easy to remember. If you have questions about creating a good password policy and communicating it to your team, contact your Customer Success Manager.

Require two-factor authentication where beneficial

The 1Password security model is based on encryption, from the two-secret key derivation approach for encryption-at-rest, to the use of the Secure Remote Password protocol for server-client authentication.

While authentication isn’t emphasized by this model, you may want to consider requiring two-factor authentication for your team members. When turned on, a second factor is required to sign in to your 1Password account on a new device, in addition to your account password and Secret Key. This adds an extra layer of protection.

In the unlikely event that an attacker has a team member’s account password and Secret Key, they would also need the device used for two-factor authentication – a smartphone with an authenticator app or a hardware security key – to sign in.

Learn how to manage two-factor authentication.

You can also require only certain team members or groups to use two-factor authentication. Create a written policy, then use team reports to see who has turned on two-factor authentication.

The two-person rule

If your organization has particularly high security requirements, consider following the two-person rule:

  1. Invite two or more generic organization-specific email addresses and add them to the Owners group.
  2. Split each new owner’s password and Secret Key between two people so they’re both needed to sign in as an owner.

After someone signs in as an owner on a device to perform a task, remove the owner information from the 1Password app and clear the browser session.

Access management and the principle of least privilege

Tip

When you grant access in 1Password, use the principle of least privilege. Only grant access to the information or permissions that each person needs for their role in the organization.

Group permissions (administrative capabilities)

Group permissions allow people to make changes that affect the entire 1Password account, so they should be granted carefully. To keep the number of team members in the Owners and Administrators groups as small as possible, you can create custom groups to grant administrative permissions to team members.

You can also allow only certain groups to create shared vaults. By default, everyone in the Team Members group can create shared vaults, but you can remove this permission from the group. A team member who creates a vault automatically becomes the manager of it and can manage access for other team members and groups, or delete the vault. It’s best to grant the Create Vaults permission to custom groups for team managers, department heads, and so on. Then educate these people on best practices for setting up shared vaults, such as naming conventions.

Learn how to use custom groups and permissions.

Vault access and permissions

Important

Access to data is determined at the vault level. After something has been shared, it cannot be unshared. Giving someone access to a vault or sharing an item externally means you no longer have control over that information.

When you set up and organize vaults, avoid creating general purpose ones with broad access. Instead, set up focused vaults that contain specialized information (for example, Toronto Office, Marketing, Vendor #12, and so on) and share these vaults selectively with team members or groups that need the information for their work.

Employee vaults are a place for your team members to store work-related information that they don’t want to share with others. Owners and administrators don’t have direct access to these, but they can create reports based on the vault contents, or gain access using the account recovery method mentioned above. Learn more about the Employee vault.

Keep the permissions that people and groups have for each vault to a minimum. In a shared vault, the highest set of permissions will take priority. If a team member has low-level permissions in a vault at the group level, then is individually granted higher-level permissions, the highest level of permissions is used.

For example, a team member is given the View Items permission for the Social Media vault as part of their membership in the Marketing group. They’re also added to the vault on an individual level and given the Create Items permissions to perform a task for a temporary project. In this case, the higher set of permissions, Create Items, applies.

Tip

The Copy and Share Items, Move Items, and Export Items permissions should be removed from group access on shared vaults unless they’re required for the group’s work. You can give specific people these permissions if necessary. Learn how to choose the default vault sharing permissions.

Vault access in apps

By default, your team members will be able to access vaults in the 1Password apps on their computers and mobile devices. You can manage app access when sharing a vault to restrict access to specific apps. For example, if you want to make sure sensitive data isn’t locally cached, you can remove access from all the apps but allow 1Password for Web (1Password.com), so your team can still access the vault in their browser. You can also allow apps from specific operating systems, such as Windows or Linux.

Item sharing

Item sharing settings are account-level and dictate how team members can share individual items. Manage item sharing settings proactively. In shared vaults, these settings work alongside the Copy and Share permission, which is applied at the vault level for individual team members or groups and allows people to share items from shared vaults externally.

Review access regularly

Responsibilities shift over time, so access should too. To prevent team members from having broader privileges than they need, audit vault permissions for users and groups regularly. Also regularly review permissions granted through custom groups. You can create usage reports for team members and vaults to quickly see what they have access to.

Items shared individually need to be managed carefully, and links should be deleted after they’re used. Learn how to use the Activity Log to delete item sharing links.

Tip

Refer to your organization chart of departments and leadership personnel regularly to make sure that high-level roles like managers and team leads have the correct levels of access within 1Password.

Run reports regularly

1Password Business includes a broad range of reporting tools to help you understand what’s happening in your account and how team members are using 1Password.

  • Insights give people in the Owners and Security groups an overview of data breaches, compromised, weak, or reused passwords in shared vaults, and reports on how your team is using 1Password.
  • The Business Watchtower report lets people in the Owners and Security groups view security issues across all your shared vaults, such as weak, reused, or compromised passwords, inactive two-factor authentication, and expiring items.
  • Usage reports are helpful for vaults containing high-value information. Regularly create usage reports for people with high-privileged access.
  • Monitor sign-in attempts in your 1Password instance to analyze the effect security policies have and take any action required to protect your team.

Report data for sign-in attempts is kept on the 1Password servers for 60 days. If you require access to this data for a longer period of time, use 1Password Events Reporting.

Tip

If you use a security information and event management (SIEM) or log analytics tool, consider integrating it with 1Password Events Reporting to get reports about 1Password activity like sign-in attempts and item usage in the central location where you manage your organization’s applications and services.

1Password integrations

1Password can be integrated with different types of third-party applications and services to allow it to become a valuable part of your organization’s technology stack. You can integrate with:

All of these integrations are set up using sets of credentials that allow access to part of your 1Password account. The scimsession file for 1Password SCIM Bridge or 1password-credentials.json file for 1Password Connect Server contains the credentials, which are encrypted at rest, and these are used to sign in to 1Password using a service account. The bearer token that is used to authenticate access to your SCIM bridge or Connect server also decrypts these credentials with each authenticated request.

When you set up integrations with 1Password, these credentials need to be saved in a shared vault that only specific people have access to. Don’t share these credentials using insecure methods like email or Slack.

For access tokens in 1Password Secrets Automation, the scope of access to vaults should be kept to a minimum. The level of access third-party applications have to vaults through the associated tokens, and the people who have access to 1Password Secrets Automation workflows and 1Password Connect Servers needs to be reviewed regularly.

Integrations allow automated tools unattended access to certain parts of your 1Password account. 1Password SCIM Bridge can make changes to the groups and group memberships, as well as invite and suspend team members. 1Password Secrets Automation allows third-party applications access to the contents of your vaults. 1Password Events Reporting allows your SIEM or other tools to capture usage metadata about your 1Password instance.

They do so by signing in to dedicated 1Password applications with specific credentials, similar to how a team member unlocks 1Password with their account password to access passwords and other items. Make sure you set up and treat these integrations with care and regularly review them.

Learn more about 1Password SCIM Bridge and 1Password Connect Server security.

Protecting your team members

Secure team members and devices

1Password is designed to be very resilient against attacks targeting data on the 1Password servers, as well as data in transit. In both cases, user data is encrypted with a key derived from the Secret Key and account password, which are only known by that person. Your team members' devices are the only viable place that an attacker could gain access to your 1Password data. Make it a top priority to keep these devices secure and educate your team members about security practices.

To keep your data safe:

  • Secure your team’s devices with full-disk encryption to lower the risk of unauthorized access on a device when it’s shut down.
  • Set devices to automatically lock within a short time period, requiring the user password to unlock it. This lowers the risk of the device being stolen in an unlocked state.
  • Allow your employees to use biometric authentication methods for convenient security.
  • Install high-quality anti-malware protection on the device that ideally doesn’t subvert the operating system’s own integrity and protection measures.
  • Use short auto-lock times for 1Password and rely on biometrics for convenience. Learn how to manage these settings with mobile device management.

To help educate your team, use these 1Password University courses:

Train your team on 1Password

Distribute a custom and dedicated 1Password policy to the team members you’re inviting to 1Password. Explain how 1Password should be used, what kind of data belongs in it, and how to organize that data. You can also let your team know they can use the complimentary 1Password Families membership to secure their personal information.

A tool is only valuable if people know how to use it correctly. This is especially important for security tools and processes an organization expects their team to use daily. Offer training resources for your team members. This training can go beyond 1Password to include security awareness in general and showcase good security hygiene benefits.

The ideal security awareness training explains not only how but also why. To get some inspiration as you create training programs, reach out to your 1Password Customer Success Manager or explore the courses available on 1Password University.

Offboarding your team members

Turnover happens and a robust offboarding process should be devised early on, clearly stating best practices for closing accounts and cycling passwords after an employee leaves.

  • Create a shared vault for team members during offboarding and ask them to copy items from their Employee vault to it. When the team member is suspended, the team will be able to quickly access and use the passwords they need, or transfer accounts to the appropriate people.
  • Even after an employee is suspended, change all of passwords that are outside of 1Password, such as their email account, to immediately revoke their access.
  • Assume that offboarded team members have copied shared passwords. You should change all the passwords that they had access to so any copies they may have created are no longer usable.
  • Create a usage report to identify items the former team member last used. Prioritize changing passwords in high-value vaults, then consider delegating other password changes to vault managers to reduce the time it takes to update all the passwords.
  • When you suspend or delete a team member, their data will be removed from the app and device only if they are connected to the internet and 1Password is unlocked. If the team member is offline when you suspend or delete their account, their items remain accessible until the next time they try to unlock 1Password while connected to the internet.

Learn how to offboard a team member.

Important

After something has been shared, it cannot be unshared. Reset or change passwords that have been shared with someone who no longer works at your organization, then save the new password in 1Password so everyone has access.

You can also create an offboarding consent form and include it with your employee policies. In it, you can let team members know that their Employee vault in 1Password:

  • Will no longer be accessible when they leave the organization. They can use the complimentary 1Password Families membership to store personal items.
  • Is only for work-related items, such as their work email password.
  • Can be accessed by administrators using account recovery if they leave suddenly due to an emergency or termination.

Contingency plans

If a device has been lost or stolen

If a device has been lost or stolen, and you’re certain that the device is locked, deauthorize the device:

  1. Sign in to your account on 1Password.com.
  2. Click People in the sidebar, then find the person and click their name.
  3. Scroll down and click next to the lost or stolen device, then click Deauthorize Device.

Data in 1Password on a device is encrypted with the person’s account password. As long as your team members use strong account passwords, someone who has access to a device won’t be able to view anything stored in 1Password. Set a strong account password policy and teach team members how to choose a good account password to protect against this case.

Learn more about what to do if your device was lost or stolen, and it has your 1Password data on it.

If a device has been compromised

If you believe someone had access to a team member’s unlocked device or Emergency Kit, has guessed a team member’s password, or that a team members' device was compromised by malware (like a keylogger attack):

  1. Suspend their 1Password account.
  2. Reset their email account password.
  3. Reactivate their 1Password account and start recovery on the account.

Asking the team member to change their 1Password account password isn’t sufficient in this scenario because a change of account password or Secret Key doesn’t create a new personal keyset; it only changes the Account Unlock Key (AUK), which encrypts the personal keyset. An attacker who gains access to someone’s old personal keyset can decrypt it with an old account password and old Secret Key, then use that to decrypt data that’s been created after the team member changed their account password. Always recover their account in this scenario to replace the keyset and re-encrypt all of their vault keys.

If a device has been stolen and is compromised

If a device has been stolen and is compromised, assume that the attacker may have gained access to the affected team member’s account and is keeping the device offline to create a copy of all information stored in the decrypted local database of the 1Password app. In addition to the mitigation steps above, you should also create a usage report for the team member and immediately change passwords and other sensitive data in the vaults they had access to.

Learn more

Still need help?

If this article didn't answer your question, contact 1Password Support.

Published: