Skip to main content
1P_SimonH
Community Manager
July 9, 2026

June 2026 at 1Password: Welcoming Apono, Credential Broker in beta, and a long-awaited Families update

  • July 9, 2026
  • 0 replies
  • 3 views

In June, 1Password acquired Apono to bring just-in-time privileged access governance into the Unified Access platform and launched the private beta of 1Password Credential Broker. Read on to learn about Apono, a long-awaited change to 1Password Families member removal, and AI-assisted query creation in Device Trust.

Welcoming Apono to 1Password

We acquired Apono, a privileged access governance company built around the principle of Zero Standing Privilege, to bring just-in-time access controls into the Unified Access platform.

Access governance built for humans alone no longer covers the full picture. Machine identities already outnumber human identities in most enterprises, and AI agents are taking on more tasks across cloud infrastructure, data systems, and production pipelines. Apono's platform grants access only when needed, scopes it to the task at hand, and revokes it automatically when the work is done. Every grant carries a full audit trail.

Together with 1Password Credential Broker, Apono addresses two connected sides of the same problem. Credential Broker governs where credentials live and how they reach a verified requester. Apono governs what that identity is permitted to do once access is granted, and for how long.

Welcome to the team, Apono.

Read more about Apono joining 1Password.

Changes to Family account membership

This month we shipped a change to how 1Password Families works when a member is removed from an account.

When a family member is removed, their account enters a 30-day transition window. During that time, the removed member is notified and  guided through the process of migrating their private vault data into a new, standalone 1Password account. 

They won't lose access to the items that were in their private vaults.

  • What transfers over:  All private vaults  and their contents.
  • What stays with the family account: Shared vaults and their contents.

This change applies to all 1Password Families plans. No action is needed on your end – the flow kicks in automatically when a removal happens.

Read more in our support article on leaving a family account.

Our take on Verizon's latest security research

We shared our take on the 2026 Verizon Data Breach Investigations Report, which analyzed more than 31,000 incidents across 145 countries. The findings are worth reading whether you manage a security program or just want to know whether your personal accounts are in good shape.

The headline finding: vulnerability exploitation has overtaken phishing as the leading initial access vector for breaches. But the real takeaway is that the basics still matter most. Create a unique password for every account, enable two-factor authentication wherever you can, and keep your Watchtower score healthy – these these are the fundamentals that will reduce your risk of being breached. 

One finding that stands out for everyday users: 67% of people in the dataset used non-corporate accounts to access AI services on corporate devices, and source code was the most common data type shared with external GenAI tools. That's a good reminder that the riskiest behavior often feels harmless in the moment.

Read more about what the 2026 DBIR means for your security.

Introducing 1Password Credential Broker

Long-lived secrets in CI/CD pipelines are one of the most common sources of credential exposure. We launched the private beta of 1Password Credential Broker to change that, with general availability targeted for late 2026.

The core idea: a workload or AI agent should never hold credentials it doesn’t currently need. It proves who it is, receives exactly what policy permits, and loses that access when its job is done.

The initial beta focuses on GitHub Actions. When a workflow runs, GitHub generates a signed token confirming which repo, branch, and workflow is executing. 1Password validates that token against a policy you configure, then delivers exactly the credential that job is approved to retrieve. No static service account token. No long-lived secret sitting in an environment variable. Every access event is logged with full attribution: the repo, branch, workflow, environment, and commit that triggered it.

If you want early access, sign up for the waitlist

Read more about 1Password Credential Broker.

AI-assisted query creation in Device Trust

We shipped AI-assisted query creation in 1Password Device Trust, giving admins a faster way to investigate their device fleet without having to write SQL from scratch.

Device Trust uses osquery and additional proprietary data sources to provide your IT and security teams with a live, queryable view of every endpoint. Writing correct, performant osquery SQL has always required specialized knowledge that most admins don’t have on hand, especially during an active investigation. Now you describe what you want to find in plain English, and Device Trust generates a ready-to-run query you can review and execute with a single click.

Some examples of what you can ask:

  • "Which macOS devices have FileVault disabled?"
  • "Which devices have AI desktop apps like ChatGPT, Claude, or Cursor installed?"
  • "Check all Windows devices to see if PowerShell is disabled"

The tool also works on existing SQL. Paste a query into the builder, and it will tighten your filters, narrow the columns, and suggest more efficient patterns. Every generated query is shown in full before anything runs. You decide what to execute and which devices to target.

Learn more about AI-assisted query creation in 1Password Device Trust.=

Random but Memorable

Release note highlights

Browser extension

  • You can now see the pages where you've hidden 1Password in your Autofill & save settings.
  • On verified low-risk sites, the phishing prevention prompt now highlights "Add website and autofill" as the primary action.
  • Fixed an issue where items with one-time passwords with a custom refresh window longer than 255 seconds wouldn't work properly.
  • We’ve fixed an issue where the 1Password welcome screen could open randomly in Safari.

Mac, Windows, and Linux

  • If you use the 1Password browser extension, Brave Origin can now automatically connect to the 1Password app.
  • We’ve fixed an issue where items with one-time passwords that had a custom refresh window of longer than 255 seconds wouldn’t work properly.
  • We’ve fixed an issue where search results didn’t include contents from some fields, such as the Type field for credit cards. 
  • [Windows only] We’ve fixed a crash that could occur when you first opened or unlocked 1Password. 
  • [Mac only] We’ve fixed an issue where Universal Autofill wouldn’t fill logins in most apps.

iOS, and Android

  • [iOS, Android] We’ve fixed an issue where items with one-time passwords that had a custom refresh window of longer than 255 seconds wouldn’t work properly.
  • [iOS, Android] We’ve fixed an issue where search results didn’t include contents from some fields, such as the Type field for credit cards.
  • [Android] You’ll now see an Open 1Password option in the list along with suggested logins when you sign in to an app or website, so you can search for other items if you need them.
  • [iOS] When you turn on 1Password as an AutoFill provider in the iOS Settings app, you’ll now see a suggestion to turn off other password managers.