To compare the two - 1pw is basically one of my favorite programs. LastPass is um... adequate? We have a lot of items in our LastPass vault and anytime we search it, add or change an item there is a 5-10 second lag. This according to LastPass support is unavoidable. Something to do with each item being individually encrypted/decrypted each time.
In anycase if 1Password for Teams is half as good 1Password I assume it will blow LastPass out of the water. And my experience with the Agilebits team gives me confidence that they'll work on actually improving the product instead of just looking for an exit.
What were the issues you had with the Android application?
Feedback is most certainly welcome here so we can try to focus our attention on the areas that are seeing the most sad faces from our users.
Thanks!
Kyle
AgileBits
Rob
AgileBits
Edit: since someone is apparently upset over my comment - those two features are absolutely mandatory in almost all corporate environments. If you have a comment to the contrary, feel free to share it. Don't just downvote my comment because you don't personally need the features.
I'm not super big on the terminology, but I assume on-prem is on-premise, meaning you'd like to self-host. If I have that correct then unfortunately I can't promise anything here. I will most definitely pass this along to our team though so that they know there are some requests for it.
As for active directory integration. I'll be completely honest here and say I'm not totally sure how we can support this one. We use both an email, an Account Key, and a Master Password to access and decrypt your data. There isn't just a password to decrypt, we also use your Account Key combined with the Master Password. This could potentially provide some roadblocks to providing single sign on support. If you're looking at it for group integration (i.e. User X is in Group Y in AD/LDAP then they are in Group Y on 1Password for Teams), that might be a different story. I'll also pass your concerns and feedback for this one along.
I hope those are at least something, though I can certainly understand that it might not be to your liking. But if you have feedback or can help me understand things more I would certainly appreciate it. I'm just a developer and have never been a system admin, nor have I worked in a corporate environment. That leaves me a little green on those topics :)
Kyle
AgileBits
AD integration meaning yes, ability to tie users/groups between 1password and existing AD infrastructure. The idea there being that if a user is terminated, and their AD account is deleted/locked out, everywhere else is locked at the same time. Having to go to 20 different systems to try to clean them out is a great way to miss accounts :)
Please try, please help make the enterprise security software market suck less :(
Maybe v1.x doesn't need AD, however it's something the dev team should definitely consider for later versions. Beyond that, it's really upto AgileBits about how much of the large-corporate market they want to cater for (companies like Centrify seem to have found a niche there)
Thanks for listening.
Maybe you can explore Okta integration as possibly a faster route to AD integration.
Thank you for doing this. Super into analyzing this for security. 1Password is my preferred single-client solution, but not having a good Team solution has been a serious drawback.
https://teams.1password.com/white-paper/1Password%20for%20Te...
Let us know if you have any questions after giving that a read.
Kyle
AgileBits
I've recently bought the "real Windows application", since the Universal App doesn't allow to enter new logins (really?), only view existing ones.
Unfortunately, KeePass was much more useful with its Alt-A shortcut. In 1Password I need to manually copy login data from the application, since I'm using Edge and there's obviously no plugin, yet (Edge's fault).
Oh, and syncing must be a bad joke. Lots and lots of sync options, but the only one working across all platforms (iOS, Windows Phone and Windows are the ones relevant to me) is Dropbox. No OneDrive, no WLAN sync.
And don't get me started on vault management. I was using a non-synced vault without realizing it for weeks, and then I was pulling my hair out trying to sync the correct one. I finally only managed to do that by completely removing the Windows Phone app and starting from scratch.
At least they are moving everything to opvault. It was fun trying to get everything to sync, only to find out that the default vault format "agilekeychain" cannot be synced to Windows phone (or was it Windows desktop? I'm not sure).
We are working on adding Teams to 1Password for Windows. Hopefully we'll have more to show for that in the not too distant future.
I also hear you on the Edge front, we're excited to see what we'll be able to do with Edge once a plugin framework is available.
As for syncing, the Windows application does support Wifi sync to iOS and Android applications, in addition to Dropbox. Between computers, you could use any sync service that syncs like Dropbox, i.e. to a folder locally and then the sync service copies the data back and forth while the data rests locally. Keep in mind though that we've only tested and can support Dropbox for this so you might run into unforeseen problems, but we do have users doing this and it seems to work for them.
That said, I am sorry for the trouble you've had. If you have any questions getting things setup you're welcome to ask questions on our support forum at https://discussions.agilebits.com. We're always happy to help users get setup and running.
I'll certainly pass your feedback along to the proper people as well.
Kyle
AgileBits
It is billed as a work-in-progress, but on my terribly limited HP Stream 7 tablet (Windows 10), 1Password is no less stable than any of the other apps.
I suspected that Windows development has been delayed by the need to support iOS MDM (mobile device management) for businesses. And here we are!
I also suspect that Microsoft changes in development options - particularly "Universal apps" via HTML and Javascript - moved too fast for an indie developer to follow, at least over the past 18 months.
Our Windows developers will get their day to shine soon enough as well and we hope you'll enjoy the work they've done. :)
Kyle
AgileBits
"A lot of folks only have experience with Logmein from the horrible way they handled transitioning users from the free to paid service.
My company has used Logmein Central for remote access to hundreds of PCs for years. The core software is great, reliable, and has been ever since we started using it.
The problem is that Logmein the company knows they're on top of the heap when it comes to remote management. They have no reason to innovate or improve where they can.
They added 2FA but otherwise we haven't seen a single new feature that we've taken advantage of in a very long time. Any features they do add hint at them wanting to be a RMM service but you'd have to be an idiot to trust them with more responsibility of your networks. Also a lot of those features require Logmein Pro which adds an insane amount of cost depending on how many systems you're managing.
Meanwhile there are bugs that have been around literally since we started using the software. For instance copy/paste while in a session will randomly break. The Logmein client software is very buggy on OSX, crashes often, search will randomly break. Their support is basically non-existent, although I haven't tried in a while if you opened a ticket it would take days if not longer for a response and they'd usually just direct you to some unrelated KB or tell you post on the forums.
We use Lastpass as well so this should be interesting. I've yet to see a merger that actually improved things from our end as a MSP. Cisco bought Meraki, Dell bought SonicWALL, at this point I assume any time we see a merger that its time to find a new vendor."
Are there single-sign-on options for Google Apps for Work?
Our sign-on process uses a modified form of SRP. (See the draft white paper). It is not a traditional "authentication" process and so can't use other SSOs.
Lack of native Linux support (even just for an Ubuntu LTS) is holding back usage in both personal and professional use for me.
That there is an Android app makes the lack of a Linux implementation the more baffling.
The pricing does seem a bit high (the same price as google apps!). We're a startup with an engineering team of ~12 and only two or three of us pay for 1password right now. If we had 1password teams, I'm sure I could convince management to include pro versions of 1password for Mac & iPhone with every new employee as part of the "initial software package" that employees are allowed to expense. But another $100+/mo is a bit harder for them to digest. Regardless, looking forward to being invited into the beta/trial! :)
Note that pricing is not completely finalized just yet, and we will be offering different pricing tiers. In addition, a subscription to 1Password for Teams would replace the price of the individual apps, not add to it. So, you would be getting free upgrades for the client apps while you are subscribed to 1Password for Teams.
I hope that helps!
Rob
AgileBits
Heck, if you offer a good enough deal, I might be able to get a whole bunch of sister companies on it too.
What's not awesome though is how long they've been working on the refresh of the Android app with fingerprint support. Demoed in May, it's now November and they aren't even ready to launch it on their beta channel.
Really sorry about that. Our Android team is working as hard as they can to bring out updates. It's a tough balance because we've been hard at work on trying to bring 1Password for Teams to Android as well, which until today has been a secret project. This also means adding a lot of new features that are part of Teams, like multiple vault support.
For the fingerprint support it's important to note that this relies on Android Marshmallow so we couldn't ship that until then. It sounds like that has started rolling out though so that's no longer blocking us but a few other things are. I just thought that knowing it depended upon Android Marshmallow would help in seeing why that particular feature hasn't arrived yet :)
We're doing our best to get the Android application improved though.
Kyle
AgileBits
Finally started use ZOHO Vault. It gave us why to create/manage/share to our developers "secrets" (passwords, PIN/PUK, Visa pin, etc) in webapp and mobile app. Now it is part of our "wellcome kit" to new worker. If you are alone you can use for free, and use to your personal or professional secrets.(Example code that was created to my profile by ZOHO Vault is like "x3Aq-JTyKg" -is not this! of course!)
Usually with any customer that see how we work... they copy "work method": if any other recommend us other better... of course we will test too to compare!! Cheers!
I'm not super excited about the use of WebCrypto, but it isn't any worse than storing passwords in the clear in a database.
My biggest question is does it support having an audit log of who accessed what credentials when? If that is supported I could see some our our teams switching over to this.
[Disclosure: I work for AgileBits]
I have been getting excited about Universal Two-Factor auth tokens. Sure, yet another standard, but U2F seems dead-simple from user perspective, and easy for developers to add to web apps.
If we rely more upon web-browser front-ends for 1Password UX, I'd feel way more comfortable with some kind of two-factor auth for the password vaults themselves.
I have inadvertently submitted my 1pw vault password to web sites, usually because keyboard focus changed and I didn't notice. Real people will inevitably do this from time to time, even in the absence of malicious phishing.
Good luck!
1Password for Teams has what we call Better Than Two-Factor™ through the use of an Account Key: https://support.1password.com/account-key/
The web client runs in Chrome, Firefox, and Opera, so Linux users will definitely be able to access it there. That's our immediate focus for now.
Rob
AgileBits
We all used SSH public keys (this was kind of new back then), so really only needed to consult the password book on certain reboots.
I'm obviously biased especially about the Android client :) but IMHO great iOS (and SDK), Android, Web Vault, browser plugins, Windows Phone, Surface, etc.
You would probably find our white paper on security and privacy very informative. If you'd like to give it a read you can find it here:
https://teams.1password.com/white-paper/1Password%20for%20Te...
If you have questions I'd be more than happy to make sure you get those answers. But this was a very important topic for us and that's why the white paper exists and I believe it should answer all of your concerns about security and privacy, if it does not then we will get those answered for you.
Kyle
AgileBits
Edit: I changed wording to "credentials (Email, Account Key, and Master Password)" from generic "data" which was sort of redundant and not clear.
None of this is directed at you guys, as I said, big fan. But at a climate that has left consumers concerned, cynical and distrustful of the safety of any of their data.
Remember my credit cards, alarm codes and personal data is within 1Password - the most precious of my data.
I have read the link and the other I have been sent and I will definitely continue using 1Password and I trust you guys as much as I anyone can be trusted at the moment. Certainly it's more safe than writing it down on a pieces of paper right now :-)
Of course one way to being even more transparent (but not necessarily more secure) is to open source your means of securing, transmitting and remote storage; not the whole product of course.
But with a highly funded secretive agency weakening protocols and strong arming companies, what are we to do :-)
Again great product!
\item[True end-to-end encryption] All cryptographic keys are generated and managed by the client on your devices, and all encryption is done locally. Details are in \nameref{ch:deep}.
\item[Server ignorance] We are never in the position of learning your Master Password or your cryptographic keys. Details are in \nameref{ch:SRP}.
\item[Nothing “crackable” is stored] Often a server will store the password hash. If captured, this can be used in password cracking attempts. Your locally held Account Key means that the data we store cannot be used for cracking attempts. See \nameref{sec:account-key} and particularly Discussion~\ref{aside:factor} for details.
A way of summing this up is that we've aimed to designed things so that our data store is not an attractive target. And that means not being attractive to LEAs.
With traditional two-factor authentication, an existing device is used to authorize a new one. But the existing device is only used for authorization. The one-time passwords are not used to harden the encryption.
Your Account Key works in much the same way. It is required to authorize a new device. However, your Account Key is actually used to improve the encryption of your data. Both your Master Password and your Account Key are required to decrypt your data.
More in that article. :)
Given the nature of passwords, if you've removed someone from the team you'll still want to change passwords for any items they have had access to if that's a concern.
Does that help answer your question? I'm happy to give you more information if you have more questions or if I somehow misunderstood your question. Just let me know!
Kyle
AgileBits
While in theory the passwords should be changed, but shouldn't a new vault key also get generated/encrypted and the existing passwords get re-encrypted with the new vault key?
The case I was thinking about is: If for whatever reason that revoked user got access to an encrypted password that got added after he was revoked, he can still use the same vault key to decrypt it.
On a different note, I was trying to understand the granting access part and so far (correct me of I am wrong :)) I think it has to be done in a 3-stage process. 1. invite user, 2. user accepts and generates priv/pub and pushes encrypted priv + pub to 1password, 3. admin confirms the grant by encrypting the vault key with the new user's public key. Did I get it right?
Lastly, would it be more secure if instead of using a master vault key just rely on priv/pub key of each user. When one member adds a new password, they encrypt it with each user's public key and provide it to them (can be considered as a big disadvantage to this approach). I think it makes revocation easier and denies access to future passwords since the user will be out of the team and won't receive new passwords created. But I am not a security expert, so I won't claim anything. :)
Rob
AgileBits
