So, all my people get issued a secret key and they're supposed to do what with it?
I'm considering moving from LastPass to 1Password. Company is ~30 people over 4 locations in 3 states.
When I invite a user to set up an account, they get a secret key issues them. Now, what are they supposed to do with that? memorize it? put it in a file cabinet? tattoo it on themselves? leave it in a pdf on their computer somewhere?
The PDF it generates isn't this the hackers dream--to have a single sheet confirm: the service name, the account login url, the username, one element of the authentication, and maybe even the master password if the person is foolish enough to write it WHERE TEHRE IS A SPECIFIC SPACE FOR IT
I'm being glib, but what I'm getting at is that this seems like a bad idea--the best place to store keys like this is the one place that they can't--their 1Password Vault.
Am I missing something? Is this a known deficiency in the business product? Is there some elegant solution my mind is not seeing?
I’ve been 1Password user for 5 years at home and use Family now--so I like the product--I literally signed my mom up two weeks ago (and tried to use the free gift that the CEO sent out on thanksgiving--it was expired), I just never liked the secret key component.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@blinkingsphinx: The best place to store the Emergency Kit is in a secure location, like a safe deposit box, in case of an actual emergency, where all of your devices have been lost, stolen, or destroyed (and with it the Secret Key in the app where you've signed in). You may never actually need it, because the Secret Key can be found in the app on any device you've already authorized, but it's better to be safe than sorry. Also, an admin on the account can help others recover theirs if they lock themselves out:
Recover accounts for family or team members
In most cases, all you will need is your Master Password to use 1Password on a day to day basis, with that stored safely in your brain. I hope this helps. Be sure to let me know if you have any other questions! :)
0 -
Thanks for your comment. The Secret Key construct is an ok/interesting solution for the individual and family.
I know 1Password started out as Individual, then went to Family/Team, then Buisness. The jump from Team to Buisness is big--as an IT Admin, I may not even really know the people I am deploying 1P to. ... I could go on, but I think anybody who have dealt with a 100+ employee company gets where I'm going. And think if you were going to deploy 1P to 500 to 1000 people and have 1000 PDF and Secret Key in 1000 people's hands. ...but I know there is no 1Password Enterprise ...yet.
It is a workable solution for me with $30 people. I may just store the keys in a central location that is not 1Passsword and let them store it in 1Password and destroy the PDF.
All to say that my experience tells me you should alter the 1P Buisness user on-boarding process, you should 1.) make an option for the Admin to access the user Secret Keys through the admin's login, and/or 2.) option to suppress the user's access to the Secret Key altogether (this would mean they would need an Admin ok to auth a device, and 3.) option to prevent PDF creation and auto-download when a user first signs in.
On individual accounts, I'm sure there are a lot of sad people who lost their Secret Key and are not author on any devices, but that is not an issue in Teams/Buisness because of Admin account recovery options, so it is NOT critical that people store these safe.
0 -
@blinkingsphinx - one of the advantages of any 1password.com account besides (as you noted) and Individual account is the recovery feature. As long as you have at least two people with Administrator or higher (Owner) permissions, there will always be one person who can help anyone else (including the other Admin) recover their data, should they forget their Master Password or lose their Secret Key. That way, the account itself will never be in jeopardy unless ALL Admins were to forget/lose their credentials simultaneously. You're correct that in these cases, individual users would not necessarily need to keep an offline saved or printed copy of their Emergency Kit...but that's a call only you can make. If users don't save/have those offline copies, there will definitely be more people who lose/forget and have to come to you or other Admins for Recovery instead of just being able to refer to their Emergency Kits. If that trade-off seems better to you than potentially 30, 50, 400 people all running around with potentially insecurely-stored Emergency Kits (whether "hard copies" or digitally saved, then I'd say that's certainly a reasonable conclusion/strategy.
I'll pass along your thoughts on switching up the onboarding and access process, though I don't know how much traction allowing the Admins to actually possess the Secret Keys is going to get. Thanks for the suggestion(s)! :)
0