Managed service providers (MSP) are hired by organizations to set up 1Password, handle administrative functions, manage users, perform health checks using Watchtower, report on and audit activity, and generally manage 1Password accounts. To accomplish this securely, 1Password created managed accounts.
Technical design
External Account Managers (EAM) are a custom user type unique to managed accounts. 1Password cryptographically protects the ability to act as an EAM in a managed account.
When an MSP technician launches into a managed account as an EAM, a special federated session is obtained through a different endpoint on the 1Password server. There are rules in place to make sure EAMs can only be used with federated sessions, and in places they should be used.
When you link your existing 1Password account to an MSP, 1Password generates and encrypts a Linking Authentication Key. You, or another owner of the prospective managed account, share that authentication with your MSP with a verification link.
If the MSP accepts the linking request, 1Password generates a set of keys. It also uses the Linking Authentication Key to create an authentication tag for the public key of the key set. That authentication tag and the public key are sent to and stored on the 1Password server.
When an owner of the managed account completes the linking process, 1Password retrieves the public key and its authentication tag from the server. If the authentication tag is correct, that public key is used to encrypt the contents of the managed account, granting the MSP access.
Risk considerations
To link an existing 1Password account to an MSP, you must enter the sign-in address of the MSP you want to link to. This ties your verification URL to that particular MSP. The association reduces the risk of any negative impact because your URL can’t be used by any other MSP.
An MSP technician can unlink a 1Password account to end active account management. If the MSP is unable or unwilling to take action on a managed account, the managed company will retain access to their 1Password information. They can export and import it into a new 1Password account.
The security measures that protect traditional 1Password accounts also protect MSP accounts. There are additional mitigations in place to reduce the impact and potential fallout of an MSP account compromise, including the ability to attribute all actions taken within a managed account to a specific MSP technician.
Learn more
- Best practices for securing your 1Password Business account
- About the security of SSO
- How 1Password protects information on your devices (and when it can’t)
Was this article helpful?
Glad to hear it! If you have anything you'd like to add, feel free to contact us.
Sorry to hear that. Please contact us if you'd like to provide more details.