Forum Discussion
Feature Request - Comment To View Password
Hello,
We have recently started to use 1Password and as part of this, there are a threw features it's lacking.
On our old password manager, we were able to enable an additional security measure that allowed us to add a comment on why we were viewing the password before seeing this. This was a big help duringing our compliance and security audits and really would be a useful feature to have.
Are you able to add something like this?
Jason
6 Replies
Hello Dave,
Thanks for providing me with an update.So, I can confirm that we do least privileged access to the vaults, as this is always recommended, but our financial auditors really do like to have some kind of reference on why a password has been used/seen.
Its always useful for internal auditing as well as there is a detailed track of what the passwords have been used for.
Kind Regards,
Jason- 1P_Dave
Moderator
Thank you for those details. For the time being, using 1Password's reporting solutions would be the best option. I've responded to your other feature request here.
I've passed along your feedback to the team by filing a feature request on your behalf. While I can't make any promises, the team will look into ways that 1Password can help you meet this auditing requirement for the future. If you're using 1Password Business then I also recommend that you reach out to your Customer Success Manager so that they're aware of your specific needs as well.
-Dave
From the Business version admin perspective I can tell you that you can run reports on it (at least up to 12 months) on what whom did to which passwords - if you are an (eligible) admin you can use the three dots on a password and there will be a link to a report there.
As for 'comment before usage' I guess I can understand the requirement, but your co-workers could view this as 'annoying' and fill in things like 'because' of 'doing work'. Knowing that they are just audited afterwards might be a better option though when something does arise it might be hard to recall why you viewed customer X's password on januari of last year. (So comments would be better).
Unfortunately as far as I've looked it up now one needs specific privileges to view the audit reports (e.g. it's not something tied in with vault-admin (or is it 1P_Dave and did I just misinterpret) - on my primary business account I'm vault-admin + some other privileges but not owner or security admin (so I can't properly determine myself now).
Hello Dave,
Thank you for your prompt reply.
I can confirm that we are following your least privileged access model, and the vault in question only has 3 people able to view this.We have a third party auditors that question why a certain password has been used for financial systems and we currently do this on secrets server as it requires you to write a comment before you can see the password and has been really useful for us for showing compliance and process and would really be a nice addon to have.
I also have looked at your SIEM solutions and have another feature request open about that as well as its a bit lacking with vault names and entries.
Jason
- 1P_Dave
Hello codemonk! 👋
Thank you for reaching out! 1Password's security model is based on encryption, once you add someone to a vault that person will have access to all items in the vault without needing to enter a reason for accessing an item. The standard recommendation is to share vaults with the minimum necessary number of people.
Have you considered using 1Password reporting and log tools for your compliance and auditing needs instead? They can tell you who accesses an item and when and you can even feed reports to a SIEM solution using the Reports API. Here are some links:
- Create reports in 1Password Business
- Use the Activity Log in 1Password Business
- Get started with 1Password Events Reporting
If the reporting tools don't work for your needs then can you tell me a little more about your compliance/auditing needs? Are you trying to meet certain standards imposed by a third-party? Or are these audits something that your team has developed and deployed internally? I can pass your use case along to our product team for consideration.-Dave
Replied on the wrong Post. MyBa
Hello Dave,
I can confirm that we have done this with Elastic but it just shows the IDs of the password and vault; we really need the actual name.
And thanks for filling in a feature request for us.
Jason
