1Password is periodically assessed to make sure it remains a secure way for you to share all your secrets. These unaltered reports provide insight into how independent auditors view the security of our products.
We might not publish a report if we’ve recently published a report with the same or broadly similar scope. We also might hold back a report if it’s about an unreleased feature. Though we aren’t able to publish every audit, we aim to publish as many as we can.
If you have a concern, contact the 1Password Security team. 1Password doesn’t make any assurances about responses to issues.
Penetration tests
1Password regularly requests auditors to perform penetration tests on its products and services.
| Auditor | Scope | Date | |
|---|---|---|---|
| Quaxio/Zxs | 1Password Confidential Computing System | September 2024 | Report |
| Anvil Secure | 1Password Annual Pentest | Summer 2024 | Report |
| Secfault Security | 1Password Connect | May 2024 | Report |
| Secfault Security | 1Password CLI | May 2024 | Report |
| Secfault Security | 1Password SCIM Bridge | May 2024 | Report |
| Recurity Labs | 1Password Events API | May 2024 | Report |
| Secfault Security | 1Password Annual Pentest | Summer 2023 | Report |
| Secfault Security | 1Password CLI | May 2023 | Report |
| Recurity Labs | 1Password Secrets Automation | May 2023 | Report |
| Recurity Labs | 1Password CLI | December 2022 | Report |
| Recurity Labs | 1Password SCIM Bridge | December 2022 | Report |
| Recurity Labs | 1Password Events Reporting API | December 2022 | Report |
| Secfault Security | 1Password 8 for Mac | November 2022 | Report |
| Cure53 | 1Password 8 for iOS and Android | October 2022 | Report |
| Secfault Security | 1Password Unlock with SSO | September, November 2022 | Report |
| Recurity Labs | 1Password 8 for Windows | August 2022 | Report |
| Recurity Labs | Service accounts with 1Password CLI | July 2022 | Report |
| Secfault Security | 1Password in the browser | June 2022 | Report |
| Recurity Labs | Web-based components | April, May 2022 | Report |
| Secfault Security | Universal Autofill in 1Password 8 for Mac | April 2022 | Report |
| Cure53 | 1Password 7 for iOS and Android | March 2022 | Report |
| Secfault Security | Developer tools | March 2022 | Report |
| Cure53 | 1Password 8 for Mac, Windows and Linux | December 2021 | Report |
| Cure53 | Web-based components | October 2021 | Report |
| Cure53 | Automations | June 2021 | Report |
| Cure53 | Web-based components | October 2020 | Report |
ISO certifications
1Password has achieved ISO 27001:2022, 27017:2015, 27018:2019, and 27701:2019 certifications. The International Organization for Standardization (ISO) sets the international standards for information security management, cloud security, and privacy.
Collectively, these certifications confirm 1Password meets the highest international standards for information security and privacy. Full details of our ISO certifications are available from the 1Password Trust Center hosted on Conveyor.
Learn more about the ISO certifications of 1Password.
SOC
1Password is SOC 2 type 2 certified. SOC, or Service Organization Control, is an independent auditing process that makes sure that 1Password securely manages data to protect customers’ interests and privacy. Request a copy of the SOC 2 report.
Learn more about SOC 2 certification of 1Password.
Bug Bounty Program
As of December 2024, 1Password has moved its bug bounty initiative to HackerOne.
HackerOne is engaged in an ongoing bug bounty program targeting the 1Password service and web-application. Check out the program details.
This program is currently open to the public and has received submissions from hundreds of unique researchers. Issues submitted range in scope and severity. Despite the presence of findings no user secrets were at risk.
ISE
Independent Security Evaluators (ISE) was engaged to perform a penetration test and code review of the 1Password system. The assessment was performed during April and June, 2020.
Full details are available in the ISE security assessment report
Onica
Onica was engaged to perform an assessment and audit of existing 1Password security architecture, infrastructure configurations, tools, and practices.
The review of the current AWS environments showed evidence that the AgileBits teams have undertaken significant research and gained a solid understanding of best practices from a platform level. The fundamentals of security best practices are being executed in the implementation.
Full details are available in the Onica security audit report