1Password Business and managed service provider (MSP) accounts can securely set up 1Password, manage users, run Watchtower health checks, audit activity, and set policies on behalf of linked 1Password accounts.
Technical design
When you link an account, a group is created in the linked account that includes people from the parent or MSP account who have permission to manage it. In MSP setups, this group is called External Account Managers. In business setups, it’s called Parent Account Administrators. 1Password cryptographically protects the ability to act as an account manager or administrator in a managed account.
When someone launches into a managed account as an account manager or administrator, a special federated session is obtained through a different endpoint on the 1Password server. There are rules in place to make sure account managers or administrators can only be used with federated sessions in permitted areas of 1Password
When you link an existing 1Password account to a parent or MSP account, 1Password generates and encrypts a Linking Authentication Key. You, or another Owner of the prospective linked account, share that authentication key with your parent or MSP account administrator using a verification link.
If the parent or MSP account accepts the linking request, 1Password generates a set of keys. It also uses the Linking Authentication Key to create an authentication tag for the public key of the keyset. That authentication tag and the public key are sent to and stored on the 1Password server.
When an owner of the linked account completes the linking process, 1Password retrieves the public key and its authentication tag from the server. If the authentication tag is correct, that public key is used to encrypt the contents of the managed account, granting the parent or MSP account access.
Risk considerations
To link an existing 1Password account to a parent or MSP account, you must enter the sign-in address of the parent or MSP account you want to link to. This ties your verification URL to that particular account. The association reduces the risk of any negative impact because your URL can’t be used by any other parent or MSP account.
A parent account or External Account Administrator can unlink a 1Password account to end active account management. If the parent or MSP account is unable or unwilling to take action on a linked account, that account will retain access to their 1Password information. They can export and import it into a new 1Password account.
The security measures that protect traditional 1Password accounts also protect linked accounts. There are additional mitigations in place to reduce the impact and potential fallout of a parent or MSP account compromise, including the ability to attribute all actions taken within a linked account to a specific parent account administrator or External Account Manager.
Learn more
- Best practices for securing your 1Password Business account
- About the security of SSO
- How 1Password protects information on your devices (and when it can’t)
Was this article helpful?
Glad to hear it! If you have anything you'd like to add, feel free to contact us.
Sorry to hear that. Please contact us if you'd like to provide more details.