Skip to content

The 25 1Password security checks Black Cat runs

Black Cat SSPM evaluates 25 security policies against your 1Password configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

highSuspended User Activity

Investigate activity from a suspended 1Password user and revoke any residual access

lowSuspended User Not Removed

Remove suspended 1Password users after confirming data handoff is complete

mediumDormant User

Suspend or remove dormant 1Password users after verifying account necessity

highFailed Sign-in Attempt

Investigate repeated failed 1Password sign-in attempts and lock the account if brute-force is suspected

mediumSign-in From Untrusted Location

Investigate 1Password sign-in from an untrusted location and verify with the user

highFailed Sign-in From Untrusted Location

Investigate failed 1Password sign-ins from untrusted locations and reset credentials if unauthorized

mediumService Account Token Created

Verify the new 1Password service account token was authorized and revoke it if not needed

mediumSign-in From Unknown Country

Investigate successful 1Password sign-in from an unknown country and verify with the user

mediumFailed Sign-in Without MFA

Investigate failed sign-in attempts without MFA and ensure MFA is enforced for all users

lowSign-in With No Client Recorded

Investigate 1Password sign-in with no client application recorded

lowSign-in With No IP Recorded

Investigate 1Password sign-in with no IP address recorded and check for API or automation access

highFailed Sign-in From Unknown Country

Investigate failed 1Password sign-in from an unknown country as a potential credential stuffing attempt

lowResource Created

Review the newly created 1Password resource and verify it was authorized

mediumSuspended User With MFA Disabled

Enable MFA for suspended 1Password user before any potential reactivation

mediumUser With No Recorded Activity

Investigate 1Password user with no recorded activity and verify account necessity

audit

infoMaster Password Changed

Verify the 1Password master password change was user-initiated and document it in the change log

configuration

lowEmpty Vault User

Send onboarding reminders to 1Password users with empty vaults and remove unused licenses

highSSO Policy Modified

Verify the 1Password SSO policy change was authorized and revert if not approved

criticalSSO Disabled

Re-enable 1Password SSO immediately if disabled without authorization and review the audit trail

highSigning Key Changed

Verify the 1Password signing key change was authorized and escalate to security if not

mediumFirewall Rule Changed

Verify the 1Password firewall rule change was authorized and revert if it weakens security posture

data exposure

criticalVault Exported

Investigate unauthorized 1Password vault export, contain the incident, and assess data exposure scope

mfa

criticalMFA Disabled

Enable MFA for the 1Password user account immediately to prevent unauthorized access

mediumMFA Status Unknown

Verify MFA status for 1Password users with unknown MFA state and require enrollment

highSign-in Without MFA

Investigate 1Password sign-ins that bypassed MFA and enforce MFA via security policy

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial