Asana implements 1Password to protect sensitive credentials and customer data

All unauthorized access attempts blocked

Rolled out 1Password in one day

All Asana employees now use known, secure devices

Outcomes

• Moved from basic device security to full enforcement across sensitive systems without impacting the help-desk team workload or employee productivity. 

• Ensured all authentication occurs from approved, compliant devices.

• Simplified security reviews and requirements requested by Asana’s enterprise and government clients.

• Strengthened offboarding processes by revoking access from outgoing employees’ personal devices.

• Secured access with a straightforward deployment that balanced productivity and was embraced by engineering teams.

The ideal is a security tool that doesn’t impact users, is easy for IT to manage, and does what it’s supposed to do. 1Password meets those requirements.

Johan Dowdy
Global Head of IT and IT Security at Asana

Challenges

Asana is the System of Action for Work, where humans and AI collaborate to help individuals work smarter, teams move faster, and organizations deliver results. With a global workforce of 1,700, Asana needed a secure way to manage and share credentials while ensuring access to sensitive systems occurs only from authorized, compliant devices. 

Asana has been using 1Password Enterprise Password Manager since 2019, and in 2024, they added 1Password Device Trust to advance their goal of establishing a Zero Trust security environment. Global Head of IT and IT Security, Johan Dowdy, chose 1Password to advance their goal of establishing a Zero Trust security environment to address several key challenges:

• Credential management. Asana needed a single, secure place to protect and share credentials across its distributed teams.

• Device compliance. The company needed a way to verify compliance with its Acceptable Use Policy (AUP) and ensure employees accessed systems only from authorized devices.

• Regulatory and enterprise requirements. Growing compliance expectations, including FedRAMP and enterprise customer demands, required stronger, verifiable device and identity posture controls.

• Zero Trust entry point. The company needed a practical entry point into Zero Trust security without the disruption of large, complex tooling.

Choosing progress over disruption on the road to Zero Trust

Dowdy’s goal is to implement a Zero Trust network architecture for Asana for a stronger security posture. Zero Trust strategies can be costly, complex, multi-year undertakings that disrupt business. So Dowdy took a pragmatic, multi-stage approach, focusing first on what he considers the most critical piece of the Zero Trust puzzle: securing endpoints, and specifically, end-user devices. "We need to be confident our endpoints are secure and know that our end users are logging in to our systems only from devices we trust,” he says.

Dowdy chose 1Password for two key reasons. First, 1Password Enterprise Password Manager was already a trusted and widely adopted tool inside Asana. Second, 1Password Device Trust offered a much simpler and more effective way to block untrusted access than other solutions. 1Password Device Trust also provided seamless integration with Okta, Asana’s chosen Identity and Access Management (IAM) platform. 

Most important to Dowdy, the end-user experience would be transparent, with minimal friction and an extremely low help desk burden. If a device or action doesn’t comply with policy, it’s made clear to users that access is restricted. Meanwhile, high-touch onboarding and customer success support from 1Password enables rapid deployment and a smooth rollout for employees.

We chose 1Password because it gave us effective and user-friendly solutions to both fundamental and advanced security challenges.

Johan Dowdy
Global Head of IT and IT Security at Asana

Starting Zero Trust where it matters most: at the endpoint

1Password Device Trust works in tandem with Asana’s identity provider, Okta, to vet a device before granting access to sensitive applications. Checks ensure the user is on a managed, secure, and trusted work laptop, thus fulfilling a central tenet of Zero Trust security.

1Password Device Trust gives the IT team increased confidence in the onboarding process as well. Once an employee’s device is checked by Device Trust, they follow their usual SSO/Okta flow, which then unlocks 1Password EPM or grants them access to apps Asana has secured behind SSO. 

“Once this process is complete, employees can go about their day, with no further action required on their part,” explains Dowdy. “The security tools are designed to be transparent, with only a screen quickly flashing by every time a user authenticates with Okta.”

End-user devices are our most critical endpoints. We want to make sure people are logging in to our systems from devices we trust and can verify. 1Password Device Trust makes that possible.

Johan Dowdy
Global Head of IT and IT Security at Asana

To minimize disruption, Dowdy’s team deployed 1Password Device Trust methodically, introducing new Checks and policies in phases. This approach caused minimal employee disruption while achieving a major step toward Zero Trust security. “Moving beyond reliance on the Acceptable Use Policy, we can now truly verify that users are following protocols,” says Dowdy.

Blocking more threats while preserving productivity and help-desk capacity

Asana uses 1Password Enterprise Password Manager for teams to share passwords and other secrets like API keys and server management credentials. The solution gives Asana a single, secure place to protect every credential. It ensures that proprietary and critical access information, such as keys for production systems and server logins, is never stored in insecure formats like spreadsheets. 

With the full implementation of 1Password Device Trust, Asana moved from an environment with few device security controls to complete enforcement across its workforce. Dowdy’s team now has reliable monitoring capabilities, including visibility into user behavior and device access patterns. This visibility enables them to ensure that all authentication occurs from approved, compliant devices. 

As a result, Asana has secured the vast majority of device sign-ins. All users in the Asana ecosystem now have a known, compliant device. All unauthorized access attempts are blocked. Asana has implemented a wide range of Checks, including MDM, CS Falcon Sensor, macOS/Windows updates, and FileVault/disk encryption, among many others. The company has also gained clear, verifiable controls that lead to better results in security reviews for enterprise and government customers.

It’s a much lighter lift if you start with 1Password Device Trust as the first piece in the Zero Trust puzzle. We’ve been running the solution for months, and so far, there’s been no complaint.

Johan Dowdy
Global Head of IT and IT Security at Asana

Asana was able to rapidly implement the technology and then gradually refine enforcement, based on business needs and user readiness. 1Password also gave the IT team increased confidence in the offboarding process: Employees use 1Password Device Trust from day one without disruption, and access from personal devices is removed as soon as their employment ends. 1Password Device Trust also adds an additional layer of security for the IT team, so that even if an abruptly exited employee still possesses their corporate credentials, they are immediately prevented from logging into company resources from an untrusted personal device.

All of this was achieved with minimal impact on the employee experience. “With 1Password, we achieved a critical security upgrade with a deployment that avoided productivity loss or engineering resistance,” Dowdy says. 

Building a layered Zero Trust architecture on strong endpoint integrity

Dowdy plans to slowly build on its new Zero Trust network architecture. With 1Password Device Trust in place to ensure devices are known and healthy, Dowdy is confident his team has the foundation needed to further secure the business.

As he expands Asana’s Zero Trust security, Dowdy will continue to take a pragmatic, “lighter lift” approach to minimize disruption and maximize adoption.

“Operating successfully at the intersection of people and technology means providing people with the digital access they need to be productive, while keeping their systems secure and compliant,” says Dowdy. “We’re doing that with 1Password.”