Keeper Encrypts at the Record-Level
Keeper is built with a proprietary zero-knowledge security architecture, meaning all encryption and decryption is done locally on the user’s device. Each record is encrypted using AES-256 with a different and unique key that is randomly generated, client-side.
1Password is also zero-knowledge, but they only encrypt data at the vault level and do not encrypt at the individual record and folder level.
|Keeper Makes Sharing Easier Than 1Password
Keeper provides shareable folders and individual records within a single vault to allow for easy and effective access, sharing and management.
Shared records between Keeper users works by encrypting the record key with the public key of the recipient.
A record share in Keeper is kept fully in sync with the source data so the shared record is always up-to-date. Keeper's sharing also supports bi-directional edits.
Keeper supports One-Time Share links to non-Keeper users, but even that method keeps the data perfectly in sync between the users.
1Password requires a user to create separate vaults for sharing different sets of passwords. 1Password uses tags and nested tags to organise data between different vaults.
1Password doesn't have record-level encryption, so their sharing system creates a copy of the record contents and then uses a hyperlink to share with the recipient. The information in the shared data is not in sync with the original source.
Keeper Provides Market-Leading Security Infrastructure and Policies
Keeper has the longest-standing SOC 2 Type 2, ISO 27001 and TRUSTe certification in the industry. Keeper’s ISMS will ensure that strict security controls are in place to protect customer data and ensure secure operation of products and services.
Keeper is also FedRAMP Authorised and StateRAMP Authorised – proving our commitment to maintain the highest standard of cybersecurity.
Keeper is ITAR compliant, with all development and engineering comprised of US-based employees that are U.S. Persons.
Keeper does not outsource any software development.
1Password has not exhibited the same rigor for security practices. It obtained SOC 2 Type 2 certification more than four years after Keeper, and it has still yet to obtain ISO 27001 certification.
1Password is not FedRAMP Authorised or in progress of achieving authorisation.
1Password is based out of Canada, and software developers are located throughout the world.
Superior SSO Integration
Keeper integrates with all SAML 2.0 Identity Providers (IdP) including Azure, Okta, Ping and hundreds of others.
When using Keeper with SSO, there's no master password, and encryption is performed using 256-bit Elliptic Curve keys.
Keeper holds multiple US utility patents on zero-knowledge SSO integration and other technology.
1Password has an integration with Okta and Azure, but it's using OIDC, not SAML.
1Password does not have a generic SAML connector and it is not compatible with Ping and many other identity providers.
1Password does not hold any US utility patents.
Logging in to a New Device with SSO
Keeper is seamless, using push notifications and automated methods to allow for a frictionless login experience.
1Password has no automated methods. Logging in to a new device requires an old device or admin-initiated recovery. Recovery is a back-and-forth of emails and multiple logins by the admin.
Keeper supports several MFA options that can be customised at the admin level.
- Duo Security
- RSA SecurID
- Keeper DNA
FIDO2 WebAuthn physical keys
1Password does not support MFA on the vault when logging in with SSO. MFA is only available to “owners” who log in with a password.
Keeper natively supports SCIM provisioning with SSO Connect for simple provisioning with no infrastructure required.
Keeper allows multiple IdP, configurations and nodes. Quickly and easily provision all of your users, no matter which platform they’re on.
1Password’s SCIM provisioning requires on-prem infrastructure with a very complex setup.
1Password only permits the use of a single identity provider. They don't support advanced configurations, nodes and multiple identity providers in the same environment.
|Dark Web Monitoring
Keeper's BreachWatch® keeps everything in our infrastructure and protects hashes with hardware security modules.
BreachWatch backend architecture was built to prevent the correlation of a breached password to an actual password in the user's vault, no matter the size of the data breach. The hashing used in the breached password detection utilises a physical Hardware Security Module to ensure that hashing can only be performed online - to prevent any threat of brute force attack on the BreachWatch data.
1Password sends customer-hashed passwords to 3rd party services such as "Have I Been Pwned,” putting full trust into a single-person operation in Australia.
|Keeper Provides Isolated Hosting in More Regions
Keeper offers hosting in the following regions:
- United States Government Cloud
1Password only offers US, CA and EU hosting.
|Keeper's Secrets Manager is a Superior Technology
Keeper provides 6 API languages and more than 20 integrations with popular CI/CD and developer tools. Management of secrets is fully integrated into the Keeper vault and the Commander CLI. Keeper's secrets manager platform provides record-level and folder-level access.
Keeper Secrets Manager (KSM) is fully cloud-based and does not require any on-prem components. KSM was built from the ground up to be fully integrated into Keeper's platform.
Keeper integrates with DevOps tools such as GitHub, Azure, AWS, GCP, Terraform, Docker, Kubernetes, GitLab, XSOAR and more.
Keeper Commander CLI provides hundreds of features which include vault management, user management, team management, advanced event reporting, compliance reporting, import/export and custom actions.
Keeper's Event Reporting API provides reporting on over 200 different event types broken down into 10 categories. Advanced queries with SQL-like syntax can be performed.
Compliance data is available through the API for admins with privileged access.
1Password's secrets automation platform offers only 3 languages and 4 integrations. 1Password only offers vault-level access to the secrets automation platform, not record or folder-level.
1Password requires an on-prem Connect Server. The Connect Server is deployed through Docker, and by default, does not include any encryption (hosted on http port 8080).
1Password's CLI provides basic vault and user/team management.
1Password's event reporting API only reports on Item usage and SignIn attempts.
Compliance data is not available.
|Other Critical Differentiators
Keeper offers a multi-tenant MSP solution.
Keeper's node architecture allows different identity providers to be used within the same tenant.
Keeper Connection Manager provides privileged sessions and secure remote access.
Keeper Compliance Reports provides on-demand visibility to access permissions on records and credentials in your enterprise, without exposing secrets.
Keeper supports importing vaults from LastPass even if the users login with federated Okta/Azure/Google accounts.
1Password does not offer an MSP solution.
1Password does not offer node architecture or multiple identity providers.
1Password does not offer any kind of privileged session management software.
1Password does not provide compliance auditing tools.
LastPass folders become Vaults in 1Password. There's no concept of shared folders. Nested folders in LastPass will spin off more vaults in 1Password instead of creating subfolders.
1Password doesn't support importing federated LastPass vaults, which is critical for migration.