Using 1Password alongside Okta can greatly improve manageability and ease-of-use of your organization’s security. We’ll share more information as we get closer to general availability and the rollout of additional identity provider integrations. We’re excited that many more customers can now try Unlock with Okta through our public preview. The feedback helped us identify and solve bugs, make general improvements, and simplify our onboarding experience and documentation to make the deployment even easier. Until now, our Unlock with Okta project was in a private beta, with a large group of 1Password customers deploying and testing the feature. Okta, however, was by far the most requested identity provider, which is why we started with this integration. We’ve had hundreds of requests over the years for various IdP integrations (including Azure, Duo, OneLogin and others). This is because 1Password’s server will store an encrypted version of the account’s unlock key for each trusted device within the user’s account. This setup is only needed once for every additional trusted device that’s added to a user’s account. Then, using an existing trusted device, they enter a randomly-generated verification code (which is used to authenticate an end-to-end encrypted exchange between the new device and existing trusted device). To add a new trusted device, the team member signs in to Okta again, thereby proving their identity. After authenticating, team members can access their data just like before with biometrics (which can be configured by admins). The team member’s device key, which is stored only on the user’s device, is then used to decrypt the credentials and complete the 1Password authentication process. Once a team member authenticates with Okta and returns to 1Password, the 1Password app downloads the user’s encrypted credentials. Here’s the short version of how our SSO solution works. We don’t store or have access to the keys needed to decrypt your data. Our approach maintains zero knowledge, and is end-to-end encrypted, as decryption still occurs on device. Your data will remain protected and now it’ll be even easier to sign into new devices that you own. This is because a bad actor would still need a trusted device in order to prove your identity and access the data locked away inside your vaults. Unlock with Okta shifts away from needing the Secret Key that you are used to with your 1Password account, but it does so in a way that keeps all data secured on-device and at the same time increases your convenience. We opted for using a trusted device model, which means that if your identity provider credentials are ever compromised, attackers still won’t have access to your 1Password data. Neither of these approaches meet our stringent security requirements. The second is a shared encryption key, which means if a single employee is compromised, the entire company is put at risk. The first is an auth bridge, which creates a large and attractive target for an attacker, and requires customers to maintain on-premise infrastructure. Other enterprise password managers support SSO by taking one of two approaches. The SSO project officially kicked off in 2022 and since then, we’ve had over a dozen unique teams and over 100 people here at 1Password working to bring this feature to our users in the most secure way possible. Unlocking with SSO has its own risk considerations that differ from 1Password’s traditional unlock model, and we wanted to make sure our solution was truly secure.Īfter many months of research and listening to our customers, we’ve engineered a solution with the same careful consideration for our customers' privacy and security as every other feature we’ve rolled out. While the value and benefits were clear, we didn’t pursue this feature because at the time we didn’t have a way to build it that met our stringent security standards. How did we get here?Ī few years ago, unlocking 1Password with SSO began to come up more and more in conversations with our customers. This allows admins to set up their 1Password account so that team members sign in to 1Password with their Okta username and password, rather than their account password and Secret Key. We’re pleased to announce that a public preview of Unlock with Okta is now available for all 1Password Business customers. A public preview of Unlock with Okta is now available.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |