Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Solutions A small chevron
Device management

Device management

Remotely manage, and protect laptops and mobile devices.

Orchestration

Orchestration

Automate tasks across devices, from app installs to scripts.

Software management

Software management

Inventory, patch, and manage installed software.

Extend Fleet

Extend Fleet

Integrate your favorite tools with Fleet.

Customers A small chevron
Stripe + Fleet

Stripe + Fleet

Stripe consolidates multiple tools with Fleet.

Foursquare + Fleet

Foursquare + Fleet

Foursquare quickly migrates to Fleet for device management.

What people are saying

What people are saying

Stories from the Fleet community.

Pricing
More A small chevron
Try it yourself Get a demo
{{thisPage.meta.articleTitle}}
search

Tales from Fleet security: securing 1Password

{{articleSubtitle}}

| The author's GitHub profile picture

Guillaume Ross

Share

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Get a demoGet a demo

Tales from Fleet security: securing 1Password

{{articleSubtitle}}

| The author's GitHub profile picture

Guillaume Ross

Tales from Fleet security: securing 1Password

Securing 1Password

No matter how much we wish SaaS tools had support for Single Sign-On (SSO), there are still so many websites and other resources that require individual passwords. Running a company without providing employees with a password manager is setting them up for failure. Of course people will use the same asswords on multiple sites if they do not have a way to manage different ones. That being said, password managers do centralize a lot of the security eggs in the same basket, which is why the manager itself must be as well protected as possible and why hardware security keys should be used on high-value systems.

At Fleet, we use 1Password. While configuring 1Password is relatively straightforward, here are a few things we do that can help you secure your 1Password instance.

Require 2FA

By setting the Account Password Policy to Strong, we gained the ability to support and then require 2FA.

When enabling 2FA, we ensured we also required it, as otherwise, there would always be some users without it.

2FA methods

We highly recommend that all of our users configure security keys as a 2FA method, but unfortunately, 1Password does not allow enforcing this. For this reason, we recommend that employees configure their keys and then delete the tokens from their authenticator apps.

We have made a feature request to 1Password, as having a very secure authentication method is excellent, but if weaker forms remain available, what's the point?

Restrict the number of administrators and powerful accounts

If an administrator account or an account with account management privileges gets compromised, things could go south quickly.

Ensure at least one admin recovery kit is stored securely

1Password, the company, can't retrieve our data as it is encrypted. If all admins were to get locked out at once, this could lead to data loss. For this reason, we store a physical copy of an emergency kit in a secure physical location.

Get rid of recovery kits on computers

We also ask that everyone delete emergency kits from their computers. To catch mistakes, we also run a policy in our instance of Fleet that runs this query:

SELECT 1 WHERE NOT EXISTS (SELECT * FROM file WHERE path LIKE `/Users/%%` AND filename LIKE "%Emergency Kit%.pdf");

This query succeeds if it does not find PDF files with a name like "Emergency Kit" in user directories.

Require modern apps

We enable this feature to block old, unsupported clients from accessing our vaults. Since these older clients might have vulnerabilities or not support the latest security features, this reduces the odds that something could go wrong.

On top of blocking old clients, we also push 1Password updates to our managed workstations to keep them up to date instead of only stopping very old clients.

Slack notifications

We have configured Slack notifications, which you can find under the integrations configuration page in 1Password. We ensure that our security and operations teams see critical information about 1Password accounts, such as recovery attempt requests.

Recovery process

We documented and practiced our recovery process to ensure everyone with access to perform recoveries knows how to identify the requester. We also ensure that anyone working on a recovery warns everyone and confirms they have identified the requester.

Item sharing

Item sharing is one of these features where we can't recommend a setting. More restrictive is more secure unless you need to often share secrets with third parties. We simply recommend picking what makes the most sense for you.

Effort and conclusion

We feel our 1Password environment is safer than the defaults with these settings. Applying these settings takes a matter of minutes and will require users to enable 2FA.

While additional configuration is possible to secure the Mac 1Password application, support for this is, unfortunately, 1Password has not kept these features in the recently released 1Password 8. If you are using 1Password 7, we definitely recommend checking them out.

Want to discuss this further?

Feel free to drop in our #Fleet Slack Channel to discuss anything security-related with us!

What's next?

Stay tuned for our next article in the Tales from Fleet security series!