Unlock with Okta has been available in public preview since February. Starting today, all 1Password Business customers can sign in to 1Password using Okta instead of their account password – and support for other SSO providers is coming soon.
People just aren’t built to juggle all the logins we use for work. IT departments spend so. much. time. on login-related issues that adopting 1Password reduces IT support tickets by 70%. That can save your IT team members 291 hours each every year – a $286,000 efficiency gain.
Single Sign-On (SSO) helps, too. SSO can reduce your attack surface, strengthen minimum security requirements, and reduce IT support costs. It’s also a better login experience for workers, giving them a single set of credentials to log in to every service covered by your SSO provider.
Now, you can combine 1Password and SSO to enforce stronger authentication policies, improve auditing capabilities, and give employees a simpler sign-in experience.
Unlock 1Password with Okta
Together, Okta and 1Password further simplify and strengthen security – in a way that SSO, individually, can’t. While Okta protects logins for approved apps that you specifically add to Okta, 1Password protects virtually everything else.
That includes payment cards, sensitive documents, developer secrets, and logins not added to Okta. And it’s all weaved into a comprehensive enterprise security suite with granular admin controls, actionable insights, and extensive reporting.
When you use Unlock with Okta to access your 1Password account company-wide, you can:
- Simplify adoption by giving your employees easier access to their 1Password accounts.
- Extend Okta’s authentication policies to every 1Password account unlock to strengthen access controls and improve security.
- Improve your auditing, compliance, and reporting workflows by tracking 1Password account sign-on events with Okta.
Pairing 1Password with your existing identity and access management (IAM) infrastructure fills the gaps in your sign-on security model and secures your employees no matter how they sign in.
And because onboarding and offboarding are critical pieces of the puzzle, you can connect 1Password to your identity provider via the 1Password SCIM bridge to automate provisioning and deprovisioning.
SSO, the 1Password way
It’s all done the 1Password way. Zero-knowledge architecture and end-to-end encryption are preserved, and decryption still happens on-device. Credentials are comprised of the same values traditionally derived from the account password and Secret Key, and are decrypted on employee devices – which means that, as always, we don’t store or have access to the keys we would need to decrypt your data.
We’ve gone into detail about the technical underpinnings of our approach to SSO, but here’s the bottom line. Because we’re using a trusted device model, even if your identity provider credentials are compromised, attackers still wouldn’t be able to access your 1Password data.
But the 1Password way is about more than uncompromising security. Great usability is a security feature – if it’s not easy to use, workers will find a workaround in their pursuit of productivity. So we’re not willing to sacrifice ease of use in the name of security. Instead, we find ways to enhance ease of use through security, and vice versa. SSO is no different.
What admins need to know: How to enable Unlock with Okta
For admins, setting up Unlock with Okta for your company is simple. You’ll notice a new “Unlock with Identity Provider” heading in the “Security” section of your admin dashboard. This is where you’ll manage the Okta configuration in 1Password.
Select Okta as your identity provider, enter your Okta account details, and test the connection. Once complete, you’ll see a “Successful Connection” notification.
Next, you can customize your rollout strategy. We recommend a staged rollout for most companies, but you have choices. Either select specific groups to start out and add more later, roll out Unlock with Okta to everyone except guests, or roll it out to everyone at once.
You can also choose the length of time you’d like to give employees to complete the migration. Once the period of time you select runs its course, all employees included in the rollout will be required to use Okta to sign in to 1Password.
Prior to that, they can continue to sign in using their account password and Secret Key. Each employee included in the rollout will receive an email notification with those details, along with a prompt directly within 1Password 8 to begin making the switch.
What employees need to know: Register your first trusted device
When your admin enables Unlock with Okta, you’ll see a welcome screen the next time you log in to 1Password on any device using your account password. To add your first trusted device, follow the steps outlined on the welcome screen to sign in to your Okta account.
Once that’s done, you’ll see a confirmation that your device has been registered successfully. From that point on, you’ll use Okta to sign in to your 1Password account on that device.
Registering additional devices
Once you’ve registered your first trusted device, you can use it to authenticate additional devices. When you add an account from Settings, you’ll see a notification that the account you’re signing in to now requires you to sign in with Okta.
As you follow the onscreen instructions, a notification will appear on your first trusted device (if you allowed notifications during the initial setup), alerting you to the fact that a new device is trying to use your 1Password account.
You’ll also see a new, one-time code appear on your trusted device. Enter that one-time code on the unregistered device to confirm it as a trusted device. From then on, you’ll sign in to 1Password with Okta on that device.
Not using Okta? Stay tuned.
Unlock with Okta is the best of both worlds. Workers have a simple way to access everything they’ve stored in 1Password, using a single set of credentials they already know. Your company gets streamlined security policies, simplified administration and onboarding, and full control over – and visibility into – how employees use their 1Password accounts.
Not using Okta? Stay tuned. Unlock with Azure is now in private preview, and you can get a sneak peek in the attached setup video. We’ll be rolling out support for additional SSO providers like Duo in the near future.
And if you’re considering switching your business to 1Password, a quick reminder: when you make the move, we’ll help cover the cost.