Our community is getting an upgrade on July 2nd! Learn more in the FAQs →
Show the requested credential
I'm heavily using 1password now for agentic usage. All of my business is set up on it now, and all of my credentials are locally using op://, or service accounts. I've put in a lot of effort to try and isolate systems using least privilege, but one problem is that when agents (or applications) request a credential from the system, it doesn't say WHAT credential is being requested. Half the time it doesn't even say the correct name for the application making the request, either. This is a big problem, because I'm starting to get into the habit of just spamming "Accept" blindly. But the whole reason I have set up this whole pipeline is so I can catch malicious programs trying to gain access - for example, supply chain attack infections. Without seeing what credential is being requested, and the process information that is requesting it, I'm finding it's not actually adding much protection at all, because it's putting me into a false sense of security and promoting bad habits. If I'm running multiple agents in parallel, which is often the case, it might just say "Terminal requests access to your vault" or something similar. Which terminal is that? What is the underlying entity being requested? What credential? What is the process ID or terminal title, so I can isolate it to a terminal/agent? Etc. I think this is something that urgently needs to be added. Otherwise, as it stands, it's not really offering much protection because users will just go "oh, it's probably just that agent running - I'm sure it's fine" and accept everything. If that agent happened to have installed a malicious npm package, you'd probably catch it too late.Stop by the 1Password booth at Zenith Live 2026
Zscaler's annual conference, Zenith Live 2026, is coming to Las Vegas June 8-11, and 1Password will be there as a Silver Sponsor. Find us in the Partner Pavilion, where we'll be demoing how 1Password extends Zscaler's Zero Trust Exchange, including our Device Trust integration that ensures only known, compliant devices can access your network before employees even log in. Whether you're thinking about closing shadow IT gaps, securing AI agent credentials, or tightening up your Zero Trust posture, we'd love to chat. Stop by the booth or drop a reply here if you'll be there.Upcoming 1Password webinars
Hi folks, Here's an overview of all the webinars we have coming up in the next several weeks. I hope we'll see you there! Thursday, May 21st at 9 AM PDT / 12 PM EDT (60 minutes): The unmanaged stack: Governing SaaS apps and AI tools outside SSO In this webinar, we'll explore how IT and security teams can gain full visibility into the apps, credentials and OAuth connections that live outside of SSO, and what governance looks like in an environment where AI tools are the new shadow IT. Wednesday, May 27th at 10 AM BST / 11 AM CEST / 12 PM EEST (60 minutes): The unmanaged stack: Governing SaaS apps and AI tools outside SSO This is the same webinar, but scheduled to be more convenient for Europe, the Middle East, and Africa. Tuesday, June 2nd at 9 AM PDT / 12 PM EDT (60 minutes): What's new? The 1Password quarterly security spotlight and roadmap review In this webinar, you can look forward to learning about our recent product releases, a glimpse into our product roadmap, upcoming events with 1Password, a deep dive into actionable ways 1Password can support your business' security goals. Thursday, June 4th at 11 AM BST / 12 PM CEST / 1 PM EEST (60 minutes): What's new? The 1Password quarterly security spotlight and roadmap review This is the same webinar, but scheduled to be more convenient for Europe, the Middle East, and Africa. Wednesday, June 10th at 9 AM PDT / 12 PM EDT (60 minutes): Discover built-in developer security in 1Password EPM In this session, we’ll show you how to extend the value of your 1Password deployment to developer workflows, and help you enable your engineers to build quickly and securely without added friction.April 2026 at 1Password: Post-quantum protection, External Checks close the access gap, and AI-era security
In April, we began rolling out new protections that will keep your data safe in a world with quantum computers, we expanded how teams can enforce access with External Checks in 1Password Device Trust, and shared new thinking on AI agents, credential sprawl, and what it takes to secure systems in a faster-moving threat landscape. In case you missed it A first step toward post-quantum security Introducing the first major milestone in our post-quantum cryptography (PQC) journey: as post-quantum protection in the 1Password web app! 1Password now supports hybrid post-quantum key exchange in PQC-capable browsers like Chrome or Firefox. It all happens automatically – no user action required. This helps protect against "harvest now, decrypt later" attacks, where adversaries capture encrypted traffic today in the hope that future quantum computers will be able to decrypt it. This is the first phase of a broader post-quantum roadmap focused on protecting your data against the threats of today and tomorrow. Read more about our first step toward post-quantum security. Building a Mythos-ready security program AI is accelerating how quickly vulnerabilities can be found and exploited, and security programs need to keep up. We looked at what security leaders can do now to prepare for a world where AI-driven vulnerability discovery happens at machine speed. The takeaway: patching still matters, but it can't be the entire strategy. Teams also need to limit the blast radius by controlling access, isolating agentic identities, replacing long-lived secrets, and making it harder for a single exploit to escalate into a larger breach. Read the full post on building a Mythos-ready security program. External Checks in Device Trust 1Password Device Trust can now factor in signals from other systems before allowing access to protected apps. With External Checks, access decisions can include more than device posture. Admins can pull in things like security training completion, policy acknowledgments, MFA enrollment, active employment status, and other verification signals from external systems. External Checks closes the gap between having a policy in place and actually enforcing it when someone tries to reach company apps and data. Learn more about External Checks in 1Password Device Trust. What we learned using AI agents to refactor a monolith We shared a behind-the-scenes look at how 1Password used AI agents to help refactor a large Go monolith. The work demonstrated how agents can be genuinely useful, especially for analyzing large codebases, building deterministic tools, and executing well-scoped changes. It also showed where they still need strong constraints, clear specifications, and human judgment. Read more about what we learned using AI agents to refactor a monolith. Protecting against OAuth-based supply chain breaches Credential sprawl continues to spread across SaaS apps, developer tools, automation workflows, and AI agents. OAuth makes it easy to connect new tools, but those connections can quietly become supply chain risks when permissions are broad, long-lived, or poorly tracked. We looked at how OAuth-based supply chain attacks happen, how Google Workspace admins can check which third-party apps currently have access, and why ongoing discovery is more effective than a one-time audit. Read more about protecting against OAuth-based supply chain breaches and credential sprawl. Chasing Entropy (Season 2) Season two of Chasing Entropy kicked off in April with three new episodes: Why secure-by-design is an incentives problem, with Bob Lord. Dave Lewis and Bob Lord get into secure-by-design principles, AI systems, software supply chains, and why security outcomes need to be owned at the organizational level. What cyber conflict reveals about power and doctrine, with Allie Mellen. Dave talks with analyst and author Allie Mellen about cyber conflict, attribution, geopolitics, and why defenders need to understand intent, not just indicators. Why friction is a security risk, with Dustin Heywood. Dave and IBM's Dustin Heywood (aka EvilMog) get into agentic AI, machine identity, quantum planning, and why security controls that add friction tend to get bypassed. Listen to Chasing Entropy wherever you get your podcasts. Random but Memorable April brought three new episodes of Random but Memorable to catch up on: What it takes to protect – and break into – data centers with Deviant Ollam Are you oversharing with AI? Author Jamie Bartlett has thoughts What to do if you’ve been hacked, with Glenn Wilkinson This month covered the physical side of security, safer AI habits, what to do after a compromise, and how supply chain attacks are feeding into one another. Release note highlights Browser extension Added settings that let you choose which item types appear as autofill suggestions in the inline menu. Reorganized Autofill settings for easier navigation. Fixed an issue where the browser extension didn’t unlock with the 1Password app. Fixed issues with the sign-in banner and Quick Access suggestions in Chrome and Chromium-based browsers on Mac. Fixed several autosubmit and website-specific autofill issues. Mac, Windows, and Linux Improved localization across supported languages. Updated the wording for unlock preset options. Fixed an issue where a LastPass import could fail if the account had multi-factor authentication enabled. Improved how 1Password recovers drafts of items. App icons shown in SSH, CLI, and SDK authentication prompts now display more quickly. [Mac only] Improved handling for shortened Apple Maps links. [Windows only] Fixed an issue where 1Password couldn’t be used as the Windows passkey manager when installed on an external drive. [Linux only] Added a “Start at login” setting, enabled by default in Settings > General. iOS and Android Improved localization across supported languages. Updated the wording for unlock preset options. Improved how 1Password recovers drafts of items. [iOS only] Fixed an issue that could cause excessive background battery use after using AutoFill. [iOS only] Fixed an issue that could prevent 1Password for Safari from unlocking. [Android only] Fixed a crash that could occur when first launching the app. 1Password CLI Added Shell Plugin support for Claude Code CLI, Scaleway CLI, AWS SAM CLI, AWS eksctl, AWS awslogs, and OpenAI Codex CLI. The AWS CDK shell plugin now supports AWS profiles that assume a role with the --profile flag. op run now properly terminates subprocesses when cancelled. 1Password CLI commands now support the Account Trust Log when authenticating with the 1Password desktop app.Upcoming 1Password webinars
Hi folks, Here's an overview of all the webinars we have coming up in the next several weeks. I hope we'll see you there! Thursday, April 2nd at 9 AM PDT / 12 PM EDT (60 minutes): Inside Unified Access: Taking Enterprise Password Manager to the next level In this webinar, Jeff Malnick, VP of Engineering, Developer & AI, and Jason Meller, VP of Security Strategy, will give an inside look at Unified Access and how it helps you discover, secure, and audit credentials used by human, machine, and AI agent workflows. Wednesday, June 3rd at 9 AM PDT / 12 PM EDT (60 minutes): What's new? The 1Password quarterly security spotlight and roadmap review In this webinar, you can look forward to learning about our recent product releases, a glimpse into our product roadmap, upcoming events with 1Password, a deep dive into actionable ways 1Password can support your business' security goals. Thursday, June 4th at 11 AM BST / 12 PM CEST / 1 PM EEST (60 minutes): What's new? The 1Password quarterly security spotlight and roadmap review This is the same webinar, but scheduled to be more convenient for Europe, the Middle East, and Africa.
1Password deployment on VDI / Citrix environments - best practices and support status?
Hi everyone, We're evaluating 1Password for our organization and need to deploy it in a Citrix Virtual Apps and Desktops environment. I've read through the deployment documentation, but I'd like to get some clarity on a few points from the community or 1Password team. Our scenario: Citrix Virtual Apps and Desktops (mix of persistent and non-persistent VDI) Windows Server-based session hosts User profiles managed via FSLogix / Citrix Profile Management Questions: Non-persistent VDI: What's the recommended approach for non-persistent/pooled desktops where the VM is reset after each session? Is it sufficient to persist the local data folder via FSLogix or Profile Management, or are there additional considerations? Multi-session hosts (RDSH): Is 1Password supported on multi-session Windows Server environments where multiple users share the same server? Are there any known limitations? Browser extension: Does the browser extension work reliably in VDI scenarios, especially when connecting to a locally installed 1Password app on the virtual desktop? Installer choice: The documentation mentions that MSIX is preferred over MSI. Are there specific VDI-related reasons for this recommendation beyond the passkey limitation? Any insights from organizations running 1Password in similar environments would be greatly appreciated. Thanks!
Kolide Custom Checks?
Hi everyone, We have rolled out 1Password XAM and are really liking the Kolide Device checks. However we are running into edge-cases where we need to configure some custom checks and are struggling a bit. For example, we want to allow people with devices owned by other (partner) organisations access to some of our Kolide-protected apps. They have been allowed by their admins to install Kolide but they use a different EDR product that is not covered by the supplied checks. (Ie we use Crowdstrike Falcon, they use Palo Alto Cortex) Has anyone worked out a way to implement this sort of thing? Both in terms of a custom checks for Cortex and an either/or setup for EDR.Upcoming 1Password webinars
Hi folks, Here's an overview of all the webinars we have coming up in the next several weeks. I hope we'll see you there! Wednesday, March 4th at 9 AM PST / 12 PM EST (60 minutes): What's new? The 1Password quarterly security spotlight and roadmap review Join us to learn how Alliants uses 1Password Enterprise Password Manager (EPM) and 1Password SaaS Manager to simplify SaaS management, enhance security, and align IT operations with business goals. Plus, hear the latest 1Password news, product updates, and releases to help you get the most out of the 1Password platform. Thursday, March 5th at 11 AM GMT / 12 PM CET / 1 PM EET (60 minutes): What's new? The 1Password quarterly security spotlight and roadmap review This is the same webinar, but scheduled to be more convenient for Europe, the Middle East, and Africa. Wednesday, March 11th at 9 AM PDT / 12 PM EDT (60 minutes): How IT and finance can collaborate to take control of SaaS spend Join us for a live webinar designed for IT and finance leaders who want to regain visibility, reduce waste, and align SaaS investments with business value. Thursday, March 19th at 10 AM GMT / 11 AM CET / 12 PM EET (60 minutes): What's new? The 1Password quarterly security spotlight and roadmap review This is the same webinar, but scheduled to be more convenient for Europe, the Middle East, and Africa.
