Managed service providers (MSP) are hired by organizations to set up 1Password, handle administrative functions, manage users, perform health checks using Watchtower, report on and audit activity, and generally manage 1Password accounts. To accomplish this securely, 1Password created managed accounts.
Technical design
External Account Managers (EAM) are a custom user type unique to managed accounts. 1Password cryptographically protects the ability to act as an EAM in a managed account.
When an MSP technician launches into a managed account as an EAM, a special federated session is obtained through a different endpoint on the 1Password server. There are rules in place to make sure EAMs can only be used with federated sessions, and in places they should be used.
Risk considerations
An MSP technician can unlink a 1Password account to end active account management. If the MSP is unable or unwilling to take action on a managed account, the managed company will retain access to their 1Password information. They can export and import it into a new 1Password account.
The security measures that protect traditional 1Password accounts also protect MSP accounts. There are additional mitigations in place to reduce the impact and potential fallout of an MSP account compromise, including the ability to attribute all actions taken within a managed account to a specific MSP technician.