Account Governance allows administrators to take ownership of work-related accounts and the credentials used to access them. With 1Password SaaS Manager, administrators can discover work-related applications stored in team members' vaults and assess the risk associated with them. Account Governance is designed to provide visibility and control over work-related accounts and their credentials while preserving 1Password’s zero-knowledge and end-to-end encryption security model.
Technical design
App discovery and risk assessment
1Password discovers work-related applications in business account vaults when app discovery is turned on and sends the results to 1Password SaaS Manager.
1Password SaaS Manager assigns a risk score to each discovered application based on the risk of the associated accounts. It estimates risk using factors such as the potential impact if an account is compromised, the sensitivity of the data the app can access, the level of privileged access associated with the account, and the likelihood of common real-world attack patterns. These risk scores are continuously refined based on actual usage, access, and security posture data.
Transferring account ownership
When an administrator decides to take ownership of a work-related account, 1Password SaaS Manager creates a managed credential policy. The policy identifies the credentials used to access the account by attributes such as domain and username. This policy defines which credentials should be managed, but it doesn’t modify any credential data on its own.
When a team member unlocks 1Password on their device, the 1Password client evaluates the credentials the team member can access against the managed credential policy. If the client finds a matching credential, it begins the ownership transfer locally on the device.
During the transfer, the 1Password client decrypts the credential, generates a new item-level encryption key, and re-encrypts the credential with that key. The new key is then shared with an authorized group, allowing people in that group to manage the credential. By default, the authorized group is the Administrators group in your 1Password account.
Newly transferred credentials are stored on 1Password servers and are always end-to-end encrypted. Administrators can assign team members access to credentials and manage their permissions in 1Password SaaS Manager.
Security model
Managed credentials remain end-to-end encrypted throughout the ownership transfer process. Credential data is encrypted with a symmetric, item-level encryption key using AES-256-GCM, and only devices belonging to authorized groups can decrypt it.
Credential ownership transfers are performed locally on the 1Password client. A new symmetric item-level key is generated on the device and used to re-encrypt the credential data, making sure the credential is never decrypted or re-encrypted on the 1Password server.
The new item-level key is encrypted for the authorized group using RSA-OAEP with 2048-bit moduli and a public exponent of 65537. To prevent unauthorized transfer of credentials, Account Governance uses DNS-based verification to establish an external source of trust for the group keys involved in the credential ownership transfer.
Risk considerations
Managed credential fields, such as passwords, remain concealed to team members in the 1Password apps. Team members can use managed credentials by autofilling with the 1Password browser extension. While 1Password controls access to managed credentials, it can’t prevent a team member from attempting to capture credential information after it’s been used. We recommend using multi-factor authentication and/or passkeys for managed credentials.