Security header

How 1Password for Teams protects your secrets

Since this is my first AgileBits byline, allow me to introduce myself. Last month, I joined the awesome security team here at AgileBits. I’m super excited to work with Jeffrey Goldberg, our Chief Defender Against the Dark Arts, and Jessy Irwin, our resident Security Evangelist. I aim to review product security and keep bad things from happening to good people. In addition, I write readable things: I’ve got a number of blog posts on deck that I look forward to sharing with you fine folks.

With pleasantries exchanged, let’s talk about 1Password for Teams, and about how your privacy and the security of your data are of the utmost importance to us. We are able to offer the great new features of 1Password for Teams by providing it as a service. If you are using 1Password but don’t have a 1Password for Teams account, your existing vaults remain unchanged, whether you sync them using Wi-FI, Dropbox or iCloud. While we have made some significant changes to how your data is stored in 1Password for Teams, our commitment to security and privacy has not changed.

How 1Password for Teams keeps your data safe

When we set out to build 1Password for Teams, our first concern was that our cryptography and security be absolutely top notch. I mention them both because they work hand in hand to keep your data secure. We opted for security that is enforced by cryptography instead of software or personnel policy.

Cryptography is what makes your data completely worthless to hackers. It is our cryptography that ensures that even if someone were to hack into our servers they would be able to access nothing more than a bunch of random numbers.

Security is what ensures that there are no back doors or vulnerabilities in the code. Security has to do with the assurance that certain policies are enforced by the operating system. Specifically, that there are no workarounds or back doors into our servers.

Private by Design

We take the “privacy by design” approach because we believe that we can best protect your secrets by not knowing them. It is impossible to lose, use or abuse data one doesn’t possess. Therefore, we designed systems that reduce the amount of sensitive user data we can access or acquire.

Triple-Layer Cake

1Password for Teams stores your encrypted data on our servers, but neither your Master Password nor your Account key is ever sent to our servers over any network. This means that we do not actually have the ability to decrypt your data. That is because decrypting your data requires all three of the following:

If you use 1Password, you are already very familiar with the Master Password and its role in protecting your data. Let’s talk about the other two pieces of the puzzle: the Account Key and the Secure Remote Password.

The purpose of the Account Key is to protect your data from being decrypted by someone who might access or compromise our servers. It ensures that a password-guessing attack against your data is useless: even if an attacker were to correctly guess the Master Password, the vault would not unlock.

The Secure Remote Password (SRP) is a way for both the client and the server to authenticate each other without either revealing any secrets. The SRP encrypts all traffic over the network and verifies the authenticity of the remote server before sending your information over TLS/SSL.

In Math We Trust

These three pieces of information work together to symbiotically protect your data. The Account Key strengthens your Master Password exponentially. And since it never gets sent over the network, it can’t be reset, intercepted, or evaded. In fact, I would be happy to print out a 2D barcode of all of the information in my 1Password for Teams personal vault and tape it to my front door. And if you knew me, you would know that this is a very big deal.

Still have questions? You can read all of the details of how we secure your data and why we made the decisions we did by reading our White Paper (PDF). Please also leave us a comment below or join the conversation in our discussion forums. We love hearing from you!

2 replies
    • eva
      eva says:

      Well, I really can’t speak to whether we will ever have a version of 1Password for Teams that can run on a company’s own servers. However, at this point in time it isn’t possible. Perhaps this could change at some point in the future, but given how many moving parts there are I wouldn’t expect this any time soon. I fear there are just too many things that can go wrong and supporting so many different configurations would be very difficult.

      Please let me know if you have any other questions that I may answer for you.

Leave a Reply

Want to join the discussion?
Feel free to contribute!

What's on your mind?