Keeping this intro short and simple; listed below is a general overview, feedback and thoughts on experiences so far with 1Password for business in comparison to LastPass for business now that we've migrated and have a bit of understanding and comparison. Hopefully this helps others as they make a similar journey.

* These are only items I've come across, to where they've been helpful or not.

Environment:

• Entra ID (AAD)

• LastPass for business, Entra ID as idP for SSO

• +100 users

• 1Password for business, Entra ID as idP for SSO, AKS SCIM bridge

Reasons for migration from LastPass to 1Password:

LastPass data breach, clunky UI, extension, no desktop app, limited integrations/development features. Worth noting that 1Password has competitive pricing, so its easier to get this approved with senior managers/finance.

Support feedback:

• 1Password onboarding support team is A+. Helpful and provide bulk information, guides and training. They provided 1 hour training session for the business, which is incredibly helpful and tailored to our SSO environment.

LastPass to 1Password Migration feedback:

These are a few that were noticed, whilst some can be easily worked around, they none-the-less add complexity and time to the whole migration process:

• Support training covers a great breadth of basic how to information, which takes the burden off IT staff and saves time in the long run by having a saved video recording tailored to your company

• 1Password app, LastPass import feature doesn't work (this is a big deal) *known issue and fixed below (thanks 1P Support!)

• After first time login, you may not stay logged in and then codes may not appear, leading to you needing to be recovered. This happens so often and is a huge waste of time having to recover accounts, because either the browser or app decides to log out and not longer be providing codes. I believe this might be exacerbated by having AAD SSO, so users cannot recover themselves.

1Password issues and areas of improvement;

• No easy way to get to 1Password profile page from 1Password extension

  • Adds complexity for the end user

• Marking an item as a 'favourite' sets it globally. These aren't personal.

  • cluttered and impractical feature

• No ability to selectively remove developer features for certain users/groups

• No easy way to selectively share vault items between people/groups

• Unless you have a perfect naming convention for passwords/logins, searching for accounts with the same name that you have across for many different vaults is exceedingly difficult and a massive time waste

Where LastPass does better:

• Ability to save passwords after you've logged into a website

• Folder and subfolder system for different and arguably, simpler viewing for large password vaults

• Individual folder items can be shared and centrally managed from that one folder. To do that in 1Password means a temp sharing link, additional vaults > complexity and time waste

• Reduced admin overheads when recovering accounts/logins. (see migration thoughts, second point)

• idP integrations/sync is performed in the enterprise app setup in AAD

• Loads of policies and controls to customise

• Quick access to LastPass vault/profile from extension

Where 1Password does better:

• Modern and helpful UI in desktop, web browser and extension

• Desktop app support

• Vault changes seamless - no waiting around to 'sync' to others

• Large Developer toolset

• Insights on account/password breaches and health. Again, modernised layout and helpful to understand

• Templates - really handy and customisable to suit your organisation

• Passwordless support

Whilst there are some features lacking, the improvement to security and removal of a third party platform that failed its core business purpose is simply unacceptable. This is the key driver to this change in password management platforms.

1Password is definitely a step in the right direction for a business to improve security in ways more than just securely saving password as well as features for developers. The modern aesthetics, intuitive password management features (share, edit, manage) in the desktop app and windows hello integration makes for a really nice end user experience in accessing their passwords.

But, I can't help but feel it's lacking a business focus for the features needed that could otherwise really improve its value.

Thanks! If I think of anything I've missed, I'll come back and edit it.

Consider this scenario in a business environment:

1. User has access to sensitive corporate passwords via 1Password.

2. User has a strong password, but they (stupidly.. as users do) Use that same password on all their personal and potentially even work accounts.

3. User’s device is compromised and hackers get their 1Password file.

4. Hackers search hacked database for compromised sites with users email.

5. Hackers decrypt offline 1Password database.

This is not a far fetched scenario and there are other scenarios where an offline database is a risk.

Has 1Password ever considered or have plans to create an online only mode? This is one thing LastPass does better than 1Password. This would insure 100% that access would terminated as there wouldn’t be any potential for offline databases to be scattered around on devices.

More databases = greater attack surface = less secure

Edit:

To add some justification that my scenario proposed this is a very real threat, consider the recent credentials stuffing attack on last pass. This was against users online databases, where MFA, ip whitelisting and other conditional access measures could be put in place by a business to protect again this, however, none of these measures apply if the hacker obtained access to a local 1Password database. This type of attack on individual users offline database is next and is exactly what I’m describing.

https://therecord.media/lastpass-confirms-credential-stuffing-attack-against-some-of-its-users/