1Password is periodically assessed to make sure it remains a secure way for you to share all your secrets. These unaltered reports provide insight into how independent auditors view the security of our products. 1Password doesn’t include personal views on the reports, or make any assurances about responses to issues. If you have a concern, contact the 1Password Security team.
Penetration tests
1Password regularly requests auditors to perform penetration tests on its products and services.
| Auditor | Scope | Date | |
|---|---|---|---|
| Recurity Labs | 1Password CLI | December 2022 | Report |
| Recurity Labs | 1Password SCIM Bridge | December 2022 | Report |
| Recurity Labs | 1Password Events Reporting API | December 2022 | Report |
| Secfault Security | 1Password 8 for Mac | November 2022 | Report |
| Cure53 | 1Password 8 for iOS and Android | October 2022 | Report |
| Secfault Security | 1Password Unlock with SSO | September, November 2022 | Report |
| Recurity Labs | 1Password 8 for Windows | August 2022 | Report |
| Recurity Labs | Service accounts with 1Password CLI | July 2022 | Report |
| Secfault Security | 1Password in the browser | June 2022 | Report |
| Recurity Labs | Web-based components | April, May 2022 | Report |
| Secfault Security | Universal Autofill in 1Password 8 for Mac | April 2022 | Report |
| Cure53 | 1Password 7 for iOS and Android | March 2022 | Report |
| Secfault Security | Developer tools | March 2022 | Report |
| Cure53 | 1Password 8 for Mac, Windows and Linux | December 2021 | Report |
| Cure53 | Web-based components | October 2021 | Report |
| Cure53 | Automations | June 2021 | Report |
| Cure53 | Web-based components | October 2020 | Report |
SOC
1Password is SOC 2 type 2 certified. SOC, or Service Organization Control, is an independent auditing process that makes sure that 1Password securely manages data to protect customers’ interests and privacy. Request a copy of the SOC 2 report.
Learn more about SOC 2 certification of 1Password.
Bugcrowd
Bugcrowd, Inc. is engaged in an ongoing, private bug bounty program targeting the 1Password service and web-application. Testers are provided with details of the API.
This program is currently open to the public and has received submissions from 387 unique researchers. These issues ranged in scope and severity, with nine high priority issues being discovered during this time frame. Despite the presence of these high priority findings no user secrets were at risk. Additionally, as of January 1, 2020, all the high priority submissions from this program were confirmed to be resolved.
None of the identified issues resulted in a loss of confidentiality, integrity, or availability.
Full details are available in the Bugcrowd security review
ISE
Independent Security Evaluators (ISE) was engaged to perform a penetration test and code review of the 1Password system. The assessment was performed during April and June, 2020.
Full details are available in the ISE security assessment report
Onica
Onica was engaged to perform an assessment and audit of existing 1Password security architecture, infrastructure configurations, tools, and practices.
The review of the current AWS environments showed evidence that the AgileBits teams have undertaken significant research and gained a solid understanding of best practices from a platform level. The fundamentals of security best practices are being executed in the implementation.
Full details are available in the Onica security audit report
AppSec
AppSec Consulting was contracted to perform a penetration test and code review of the 1Password application. The assessment was performed during July, 2018.
The security controls observed in the 1Password application were found to be substantial and unusually impressive.
Full details are available in the AppSec security review
nVisium
nVisium LLC was employed to perform a security assessment of the 1Password infrastructure. The assessment was performed during October and November, 2015.
It is nVisium's estimation that the current overall risk to AgileBits through the Cloud Infrastructure is low.
Full details are available in the nVisium security review
CloudNative
CloudNative, Inc. was employed to analyze 1Password and provide best-practices guidance. The assessment was performed during September and October, 2015, prior to the public beta period.
Full details are available in the CloudNative security review