The 1Password digital vault and password manager has added built-in protection against phishing URLs to help users identify malicious pages and prevent them from sharing account credentials wiht threat actors.
The subscription-based password management service is widely used in the enterprise surroundings by many well-known organizations. Recently, Windows added support for native passkey management via 1Password.
Like all tools of this kind, 1Password will not fill in a user’s login data when visiting a website with a URL that does not match the one stored in their vault.
While this provides intrinsic protection against phishing attempts, some users may still fail to recognize that something is wrong and attempt to enter account credentials on perilous pages.
As 1Password admits, relying on this protective layer alone is incomplete from a security perspective because users may still fall for typosquatted domains, where the threat actor registers a misspelled or similar-looking domain name.
Users may still think they landed on the correct site, but their password manager glitched out, or that their vault is still locked, and proceed to enter the credentials manually.
To address this security gap,1Password users now receive a warning message when visiting a website with a URL that doesn’t match the one saved in their vault. This warning explicitly states that the URL is unrecognized and advises against entering any credentials.
The company explains that this new feature aims to make it clearer to users that they are on a potentially malicious site, even if they believe their password manager is malfunctioning. The warning is designed to prevent users from overriding the security measures and manually entering their passwords on phishing pages.
1Password says the new phishing URL protection is rolling out to all users and is enabled by default. No action is required from the user to benefit from this added security layer.
