Level up your business security with free, on-demand training and certification. Explore 1Password Academy today →
Forum Discussion
Single Sign-on password sharing to Personal Account
To minimise the number of recoveries for our 1Password at Work accounts, we'd like to be able to permanently share the password for our Single Sign-on account to our linked 1Password at Home account....
Given that personal accounts usually require the actual password (as in combination with the secret ID) and SSO on your work account 'bypasses' the secret ID that wouldn't be really convenient, mostly because (unless I'm wrong) you still need that combo to decrypt your contents.
Potentially, if you are able to admin both SSO, e-mail and the auth-source, as a company admin you can bypass to access someones credentials (malicious or not, but you effectively can). Extending that to family or personal accounts could potentially be a very bad combination.
Also something else to think about, how would that work when your company policy is different (i.e. re-auth every x days) as opposed to the personal/family accounts settings? While it would be a very neat one to have, I'll grant you that, I doubt it would be possible or even be desirable from security perspective.
When we sign-in to 1Password for Work using SSO, we're directed to the Microsoft 365 sign-in page in our browser. The password for this site is stored in the 1Password for Work employee vault. We still also require MFA to gain access to our Microsoft account, so the password is only one step, but a sadly crucial step. If we were able to share the Microsoft 365 credentials with our 1Password for Home vault, we'd be logging in to that vault with a different password that is (a) unrelated to our Microsoft 365 account and (b) not governed by the same password lifetime policy or credential expiry. That password is also less likely to be required to unlock that vault in our mobile phone clients, as they use biometric unlock. The biometric unlock doesn't bypass the SSO verification required for access to the 1Password for Work vaults.
We are not admins of the SSO Microsoft 365 domain, just the 1Password for Work instance. Besides, even if we were, that sounds like a lot of work each time a user gets locked out, which is what we are trying to avoid.
