The Complete Guide to 1Password: Features, Pricing, Security, and Setup

Over 150, 000 businesses and millions of individuals rely on 1Password to manage their credentials. In a landscape where more than 80% of data breaches involve weak or reused passwords, a dedicated password manager is no longer a convenience - it is a security requirement.

This guide covers everything you need to know about 1Password in 2026: how it works, what it costs, how its security architecture differs from competitors, how to set up two-factor authentication, and how to get the most out of features like Watchtower, Travel Mode, and passkeys.



1Password dashboard

What Is 1Password?

1Password is a password management platform developed by AgileBits Inc., originally launched in 2006. It stores, generates, and autofills passwords, payment details, secure notes, and other sensitive data inside encrypted vaults that sync across all your devices.

What separates 1Password from browser-based password storage or simpler alternatives is its dual-key encryption model, its zero-knowledge architecture, and a feature set that extends well beyond basic credential storage. It supports Windows, macOS, Linux, iOS, Android, and watchOS, with browser extensions for Chrome, Safari, Edge, Firefox, and Brave.

As of 2026, 1Password holds roughly 5.5% of the global password manager market share and is trusted by companies ranging from small startups to Fortune 500 enterprises.

How 1Password's Security Architecture Works

Dual-Key Encryption

Most password managers encrypt your vault with a single master password. 1Password adds a second layer: the Secret Key - a 128-bit randomly generated string created during account setup and stored only on your devices.

This means that even in a worst-case scenario where 1Password's servers were fully compromised and an attacker somehow obtained your master password, they still could not decrypt your vault without the Secret Key. The two keys are combined using SRP (Secure Remote Password) protocol to derive the encryption key, and all data is protected with AES-256 encryption - the same standard used by governments and financial institutions worldwide.

Zero-Knowledge Architecture

1Password operates on a zero-knowledge model. The company cannot see, access, or decrypt your stored data. Encryption and decryption happen locally on your devices, never on 1Password's servers. This is a critical distinction from services that hold decryption keys server-side.

Breach Track Record

1Password has maintained a clean breach record. Unlike some competitors that have suffered high-profile data exposures, 1Password's architecture is designed so that even a server breach would yield only encrypted blobs that are computationally infeasible to crack without both the master password and Secret Key.

Core Features

Password Generation and Autofill

1Password generates strong, unique passwords for every account - configurable by length, character types, and format (random characters, memorable words, or PIN codes). Autofill works natively across all major browsers and operating systems, recognizing login fields, payment forms, and address inputs automatically.

Watchtower: Proactive Security Monitoring

Watchtower is 1Password's built-in security dashboard. Rather than passively storing credentials, it continuously monitors your vault and flags actionable issues:

  • Compromised credentials linked to known data breaches (powered by Have I Been Pwned integration)

  • Weak passwords that fail modern complexity standards

  • Reused passwords shared across multiple accounts

  • Missing two-factor authentication on accounts that support it

  • Expiring passwords and outdated security certificates

  • Unsecured websites where login pages use HTTP instead of HTTPS

  • Passkey availability on sites that now support passwordless login

Each flagged item links directly to the affected credential for one-click remediation. For business accounts, Watchtower also provides team-level security health reports that administrators can act on across the entire organization.

In real-world testing, users importing existing credentials from browser password managers typically see Watchtower flag 15–20% of stored passwords as compromised, reused, or weak - a number that underscores why passive storage alone is not enough.

Travel Mode

Travel Mode is a feature unique to 1Password and unmatched by competitors at scale. When activated from your web dashboard, it removes any vault not marked as "Safe for Travel" from all your devices. If your device is inspected at a border crossing, sensitive work or financial vaults simply are not present on the device.

Once you have cleared customs, a single toggle in your settings restores everything instantly. For companies with employees who travel internationally - particularly into jurisdictions where device inspection is common - Travel Mode is not just a convenience. In many regulated industries, it is a compliance necessity.

Passkey Support

1Password has achieved full FIDO2-compliant passkey support in 2026. Passkeys use a public-private key pair generated on your device. The private key stays locked in your vault, structurally eliminating phishing, credential stuffing, and social engineering attacks. Users authenticate via Face ID, Touch ID, or fingerprint scanning.

That said, passkey adoption across the web remains in its early stages. Roughly 15–20% of major websites currently support passkeys, so traditional passwords remain necessary for the majority of accounts. 1Password bridges both worlds seamlessly.

Secure Sharing

1Password allows you to share individual credentials or entire vaults with family members, team members, or external collaborators - without exposing the underlying password. Business plans include up to 20 guest accounts per user for contractors and partners, with temporary sharing links that can be set to expire.

Two-Factor Authentication in 1Password

Two-factor authentication (2FA) is relevant to 1Password in two distinct ways: protecting your 1Password account itself, and using 1Password as a TOTP authenticator for other services.

Protecting Your 1Password Account with 2FA

You can enable 2FA on your 1Password account so that signing in on a new device requires both your master password/Secret Key and a time-based one-time password (TOTP) or hardware security key.

Setup steps:

  1. Install a separate authenticator app on your mobile device (Authy, Microsoft Authenticator, Google Authenticator, or a dedicated 2FA tool like Daito).

  2. Sign in to your account at 1Password.com.

  3. Navigate to your profile and select Manage Two-Factor Authentication

  4. Click Set Up App . A QR code will appear.

  5. Scan the QR code with your authenticator app.

  6. Enter the six-digit code displayed in the authenticator to confirm.

  7. Store the 16-character backup secret from the setup screen in a safe location - ideally alongside your 1Password Emergency Kit.

Important: Do not store the 2FA codes for your 1Password account inside 1Password itself. That would be the equivalent of locking your house key inside the house. Use a separate authenticator app or hardware key.

1Password also supports hardware security keys (YubiKey, Titan, and other FIDO2/WebAuthn-compatible keys) as a second factor. Once registered, you simply insert the key and tap when prompted - no six-digit code required.

For business accounts, administrators can enforce 2FA policies across the entire organization and integrate with Duo Security for centralized authentication management.

Using 1Password as a TOTP Authenticator

Beyond protecting your own 1Password account, 1Password can function as a TOTP authenticator for other services - generating and autofilling six-digit codes just like Google Authenticator or Authy.

To add a TOTP code to a login item:

  1. Open the login item in 1Password and select Edit

  2. Select Add More then choose One-Time Password

  3. Scan the QR code provided by the website, or paste the secret key manually.

  4. Save the item. 1Password will now generate and autofill TOTP codes for that login.

This consolidates passwords and 2FA codes in a single encrypted application. Watchtower will also proactively notify you when accounts in your vault support 2FA but do not yet have it configured - closing a gap that most users overlook.

A note on security trade-offs: Storing TOTP codes alongside passwords in the same vault is more convenient but means a single compromised vault exposes both factors. Organizations with stricter security requirements often choose to keep 2FA codes in a dedicated, separate authenticator like Daito - especially for high-value accounts like banking, infrastructure access, or admin panels.



Daito 2FA Blog Banner (2)

Pricing Breakdown (2026)

1Password does not offer a free tier. All plans include a 14-day free trial with full feature access.

Plan

Price

Billing

Coverage

Individual

$2.99/month

Billed annually ($35.88/year)

1 user

Families

$4.49/month

Billed annually ($53.88/year)

Up to 5 users

Teams Starter Pack

$19.95/month

Billed annually

Up to 10 users (flat rate)

Business

$7.99/user/month

Billed annually

Unlimited users

Enterprise

Custom pricing

Annual contract

100+ users, dedicated support

Monthly billing is available at higher rates: $3.99/month for Individual, $7.99/month for Families, $24.95/month for Teams, and $9.99/user/month for Business.

Key plan differences:

  • The Individual plan includes Watchtower, 1 GB document storage, Travel Mode, and passkey support - but no vault sharing or guest accounts.

  • The Families plan adds unlimited shared vaults, account recovery options, and vault permission controls. At full capacity, it works out to $0.90 per user per month - the lowest per-user cost in the lineup.

  • The Teams Starter Pack adds SSO integration with major identity providers (Okta, Microsoft Entra ID, Google Workspace, JumpCloud, OneLogin, and others) and basic admin controls. At 10 users, the effective per-user cost is $1.99/month.

  • The Business plan adds enforced 2FA, SCIM provisioning, full SIEM integration (Datadog, Splunk), device trust enforcement, custom security policies, compliance certifications (SOC 2 Type 2, ISO 27001, GDPR, HIPAA), and up to 20 guest accounts per user. Every Business user also receives a complimentary Families plan for personal use - a $53.88/year value.

  • The Enterprise plan adds a dedicated Customer Success Manager, personalized onboarding, quarterly business reviews, and 24/7 phone support. Custom pricing requires direct engagement with the 1Password sales team.

Additional cost considerations: Prorated charges apply when adding users mid-cycle. International customers should budget an additional 5–21% for VAT or GST depending on jurisdiction, and non-USD billing may incur 1–3% foreign transaction fees from banks.

Business and Enterprise Integrations

1Password Business connects to the identity and security infrastructure most organizations already use:

  • Single Sign-On (SSO): Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, JumpCloud, OneLogin, Rippling, Duo, Auth0, and Ping Identity.

  • SCIM Provisioning: Automated user lifecycle management that syncs with HR systems - new hires get provisioned, departing employees get deprovisioned, automatically.

  • SIEM Integration: Real-time event streaming to Splunk, Elastic, Sumo Logic, Panther, and Datadog for centralized security monitoring.

  • Developer Tools: SSH key management, Git commit signing, a full CLI tool, SDK support, and Secrets Automation for injecting credentials into CI/CD pipelines.

  • Vault Architecture: Unlimited vaults with granular, role-based access controls at the vault, collection, and item level. Create group structures that mirror your org chart - Engineering accesses Development and CI/CD vaults, Marketing accesses CMS and Analytics vaults, and so on.

Getting Started: A Quick-Start Checklist

  1. Sign up for a 14-day free trial at 1password.com. No credit card required.

  2. Save your Emergency Kit - the PDF containing your Secret Key, sign-in address, and account email. Store it somewhere physically secure and offline.

  3. Install apps and browser extensions on all your devices (desktop, mobile, and browser).

  4. Import existing passwords from your browser or previous password manager using 1Password's built-in import tool.

  5. Run Watchtower to identify compromised, weak, and reused passwords. Prioritize fixing any credentials flagged as breached.

  6. Enable 2FA on your 1Password account using a separate authenticator app or hardware security key.

  7. Add TOTP codes for your most critical accounts (email, banking, cloud services, admin panels) directly in 1Password.

  8. Set up Travel Mode if you or your team travel internationally - mark non-essential vaults and test the toggle before your next trip.

  9. Create shared vaults (Families/Teams/Business) and invite members with appropriate permission levels.

  10. Review Watchtower monthly to catch newly compromised credentials and accounts that have added passkey or 2FA support.

The Bottom Line

1Password is not the cheapest password manager available, and it does not offer a permanent free tier. What it does offer is a security architecture - dual-key encryption, zero-knowledge design, and a clean breach record - that most competitors have not matched. Combined with Watchtower's proactive monitoring, Travel Mode, full passkey support, and deep business integrations, it remains one of the most comprehensive credential management platforms on the market.

For individuals, the $2.99/month annual plan provides robust protection at a low cost. For businesses, the per-user investment pays for itself the first time Watchtower catches a compromised credential before it becomes an incident - and given that the average cost of a data breach exceeded $4.8 million in 2024 (IBM), that arithmetic is straightforward.

Strong passwords are the foundation. Two-factor authentication is the reinforcement. A password manager like 1Password is where both come together.



If you like to learn more about other top password managers, you can read our LastPass Nordpass and Bitwarden guides.

Disclaimer: Please note that some observations and opinions within this article are personal assessments and may not reflect universal views. Pricing, features, and security landscapes for services like LastPass are subject to change rapidly. We strongly advise conducting your own thorough research and verifying the latest information on the official LastPass website or other authoritative sources before making any decisions.

Top Authenticator Guides

Explore our other insightful guides and articles on two-factor authentication to deepen your understanding of online security best practices.

The Top 5 Authenticator Apps 2025

Review of some best authentication tools, such as Google Authenticator, Microsoft Authenticator, Duo, Yubico, and Daito 2FA.

Microsoft Authenticator Guide

Strong identity authentication is crucial in the digitally connected world of today. As we manage an increasing number of online accounts, the risk of stolen...

Google Authenticator Guide

Google Authenticator has become one of the most widely used two-factor authentication (2FA) apps, helping to secure millions of online accounts...