Agilebits, makers of 1Password, recommends robust password selection and protection. Thus, it stuck in its craw, says Jeff Shiner, the company’s chief, that its business users had no simple and secure way to share collectively used passwords or secrets to which one user might need to grant access to others on occasion or when unavailable. 1Password for Teams is a result of chewing on that problem and talking to its existing customers. It’s been quietly in the works for nearly two years, and entered a public beta on Tuesday.
Teams gain access to account information useful for a group of people.
Unlike the sort-of competing LastPass Enterprise, which is an integrated enterprise-scale product designed to integrate with existing corporate directory systems and act as a drop-in solution for shared password management, 1Password is more precisely a maturation and substantial extension of the desktop and mobile software already in place. In fact, those apps will be updated to work with the new subscription-based service without any outward change to individual users. (Shiner says Teams code has been quietly hidden in native client releases for a long time.)
In this first pass, it’s aimed more at companies that already use 1Password and want sophisticated sharing options. Over time, Shiner says the company intends to expand to meet more enterprise-oriented needs, such as Active Directory and LDAP connections.
1Password for Teams remains structured around vaults, just as with the personal product. But new to this edition, vaults for teams will be stored centrally on Agilebits’ servers, which will act as the synchronization point for members through a custom team URL, much like Slack. A web-based administrative tool allows finely grained access controls. Teams can create many vaults, and users are then assigned to them, while each user can have restrictions about whether they can add, delete, or modify entries. Guests can be granted access as well.
Each user with access to a vault can have permissions refined to a very fine degree.
Administrators can also set up “blind” access for users, so that they are unable to view passwords, but must use browser plug-ins on the desktop or 1Password’s iOS extension to fill in web logins and forms. Because the password fills directly into the web form, this approach doesn’t provide full protection—a browser with the right plug-ins can reveal hidden fields. But for casual users and typical usages, it sends a signal about password ownership and permission.
Access to a vault can be suspended on a per-user basis, which immediately disables access in the 1Password native clients. And a user who tries to work around this by going offline will confront a “lease timeout,” which will ultimately be a value that an administrator can set so that after a given period of being offline, vaults become unavailable.
Sign up for CIO Asia eNewsletters.