1Password uses standard authentication protocols to integrate with managed applications, and the access gateway allows you to access them securely with a single authenticated session. When performing a risk assessment, businesses may consider the technical design of the 1Password access gateway and risk considerations, and how they differ from those of SSO providers.
Technical design
When you use 1Password’s access gateway, 1Password acts as your identity provider. After you sign in to 1Password, your authenticated session allows you to access your managed applications. You can launch into a managed app using its vault item in 1Password by choosing “Sign in using 1Password.”
Alternatively, you can visit the website for the managed app and choose to sign in with SSO.
Only administrators can create, delete, and edit managed apps, configure users and groups, and assign apps to them. Managed apps are stored as 1Password items in read-only vaults created solely for that purpose. This makes them available instantly and integrated with autofill, item management, and other features.
1Password adheres to OIDC and SAML authentication standards for all managed apps. 1Password identity service API requests and other communication are authenticated and internal to 1Password only.
Risk considerations
While risk considerations are outlined here, it’s important to note many of the risks are similar to those of any SSO service provider.
The 1Password identity platform never has access to the private key portion of the key pairs that are generated for each managed app. Instead, 1Password assigns and uses a key identifier to perform authentication actions with a managed app. If 1Password infrastructure were to be compromised, it’s possible an attacker could sign their own data in order to access a service provider.
1Password SSO user sessions are limited to 8 hours and protected by security controls that guard against compromise. Managed app sessions may persist after 1Password is locked. If an employee is suspended or deleted, their third-party app sessions remain accessible for the duration of the session length.
When 1Password acts as your identity provider, it has knowledge of your sign-in activity, like what you sign in to and when. This is not the case when you use 1Password strictly as a password manager.