![]() ![]() ![]() I had this happen on three accounts in the past year where one took me 3 days to recover the ability to access it, another I never could recover and we had to work around it and a third that was absolutely critical but took close to two weeks all said (lots of waiting). 1Password makes it this way.įrom a corporate standpoint, I don't want people using their personal devices for SMS OTP (2fa) because then if they leave, are disgruntled or get tragically hit by a bus I am locked out of a potentially important service/account. Don't get me wrong, it isn't like 2fa is so secure, it has been shown to be hackable for sure, especially when using SMS devices but if done properly it can add a level of extra effort for a bad guy and if that extra effort is easy for engineers to use they'll do it. People are lazy in general, if you tell 25 engineers at a startup they have to use two different tools just too handle credentials, the compliance rate of using 2fa will drop to nil, making accounts easier to hack. I understand what you are saying but part of security is making it easy enough that people will use it, but hard enough it isn't easy to break for bad actors. I don't think it should be considered enterprise software. To me, 1password feels like a small-time solution that tried to bolt on some enterprise features to retain customers. Again, other password managers allow more fine-grained control. ![]() You can't, for example, allow a user to initiate vault resets without giving them full admin access to the entire thing. This discourages password rotation, and increases the likelihood of orphaned passwords in other vaults.ģ. If you want to share a password across multiple teams/vaults, you need to know about and maintain those entries for the same account, which means you also have to have access to all those vaults to manage that entry. You can't create links to passwords, which would allow management of an entry from a single location. When I asked the 1password team whether they'd consider invalidating local cache on 2FA failure, they did not seem interested.Ģ. This seems like a really flawed design - a 2FA failure should prevent access. they just can't sync new/updated entries. If a user fails (or skips) 2FA, they still retain complete access to any passwords/vaults they previously locally synced. Three of the biggest issues I have with 1password:ġ. When compared to other offerings (LastPass, BitWarden) 1password consistently comes up short in enterprise features. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |