Both your password and Secret Key are required to be present to create this bundle, which allows you to sign in to 1Password, and then to decrypt your data.
With password and Secret Key accounts, your password and Secret Key are combined to derive two separate keys: an authentication key, and an encryption key (we call this pair of keys your credential bundle). Your account password and Secret Key fill two important (but distinct) security roles. The table on this support page details how this differs between platforms. How the device key is stored depends on the type of device you are using. With SSO-enabled accounts, your device remains responsible for providing a strong cryptographic key (its device key), while your identity provider becomes responsible for making sure that 1Password can only be unlocked by you.
In other words, your devices are responsible for memorizing a strong cryptographic key (your Secret Key), while your password ensures that only you can unlock 1Password on your device. Your account password protects your data on your devices, whereas your Secret Key (in addition to your password) protects data on our servers. In today’s password and Secret Key accounts, your account password and Secret Key fill two important (but distinct) security roles. The device key is what helps complete the process of signing in to 1Password with SSO, and it works differently than our traditional unlock. The device key is stored on users’ devices, and only on users’ devices. When using an SSO-enabled account, decryption is handled by the device on which 1Password is already installed, using a key – called the device key – that is unique to each device. To stay true to our promise, we needed something on top of traditional SSO. Popular protocols used for signing in with SSO – OAuth, OIDC, SAML – don’t provide a way for the user to end up with a decryption key only they know. The challenge is that traditional single-sign on is not made to solve this decryption problem. Our SSO implementation makes sure that neither 1Password nor the identity provider could gain access to your passwords. With the new ability to unlock with SSO, we wanted to stay true to our decryption promise. When we designed 1Password, we had to account for the possibility that some day our servers could be compromised. Your account password makes sure only you can do that.
For these kinds of services, SSO is an ideal solution for organizations: It provides centralized management of what users can access, and allows enforcement of strong authentication, policy, and auditability.ġPassword also needs to solve authentication and authorization problems - but the password you use for your 1Password account today also needs to decrypt your passwords. determining whether a user is who they say they are, and whether they should have access to a resource. Most web services “just” need to solve authentication and authorization problems – ie. Finally, we’ll share some notes on what Unlock with SSO means for the security of your 1Password account, and what the future holds. We’ll touch on why it’s a tricky problem and how we engineered a solution that lives up to the 1Password promise – including how we ensured that no one but you can access the data in your vaults. In this article, we’ll pull back the curtain a bit on the technical foundations of Unlock with SSO. Since then, we’ve spoken with many of you who are eager for more of the technical details – and we’re happy to oblige! We love a good deep dive, so let’s talk about some of the thinking behind our approach. Recently, we announced that 1Password Business customers will soon be able to unlock 1Password with Okta.
0 kommentar(er)
