Unlike the sort-of competing LastPass Enterprise, which is an integrated enterprise-scale product designed to integrate with existing corporate directory systems and act as a drop-in solution for shared password management, 1Password is more precisely a maturation and substantial extension of the desktop and mobile software already in place. In fact, those apps will be updated to work with the new subscription-based service without any outward change to individual users. (Shiner says Teams code has been quietly hidden in native client releases for a long time.)
In this first pass, it’s aimed more at companies that already use 1Password and want sophisticated sharing options. Over time, Shiner says the company intends to expand to meet more enterprise-oriented needs, such as Active Directory and LDAP connections.
1Password for Teams remains structured around vaults, just as with the personal product. But new to this edition, vaults for teams will be stored centrally on Agilebits’ servers, which will act as the synchronization point for members through a custom team URL, much like Slack. A web-based administrative tool allows finely grained access controls. Teams can create many vaults, and users are then assigned to them, while each user can have restrictions about whether they can add, delete, or modify entries. Guests can be granted access as well.
Administrators can also set up “blind” access for users, so that they are unable to view passwords, but must use browser plug-ins on the desktop or 1Password’s iOS extension to fill in web logins and forms. Because the password fills directly into the web form, this approach doesn’t provide full protection—a browser with the right plug-ins can reveal hidden fields. But for casual users and typical usages, it sends a signal about password ownership and permission.
Access to a vault can be suspended on a per-user basis, which immediately disables access in the 1Password native clients. And a user who tries to work around this by going offline will confront a “lease timeout,” which will ultimately be a value that an administrator can set so that after a given period of being offline, vaults become unavailable.
Agilebits never handles unencrypted vault passwords or users’ master passwords. Rather, it shunts encrypted items around and decrypts either via scripts in its Teams website or in native clients. Teams support is initially available for OS X and iOS, and requires Chrome, Firefox, or Opera due to missing security support in Safari. The company uses public-key cryptography behind the scenes to allow multiple users’ access to the same vaults without the users requiring or having access to the vaults’ actual encryption keys. Native clients add vault access through an Account Key, displayed as text and as a QR Code which clients can scan—in OS X, a “scanning window” can be dragged from the native app over the 2D code in a browser.
1Password for Teams also has a unique twist on recovering lost access to vaults. With the individual product, losing the master password means all data in a vault is lost forever. With the Teams approach, Shiner says, that wouldn’t be acceptable for a company. So in Teams, it’s possible to create recovery groups who can give users back access to a lost vault, even if members of the recovery group lack access to the contents of the vault. Again, this is done without Agilebits having any knowledge of the passwords and keys.
During beta testing, which Shiner says he expects to last at least until the end of 2015, and likely into the first quarter of 2016, 1Password for Teams will be free. After the product goes into full release, it will cost $5 per month per user per team. Requests to join the public beta have to be approved, but Agilebits says it’s throttling rather than filtering: It wants to make sure they keep up with demand.