Feature Request: Opt out of Account Recovery
Account Recovery is a dangerous feature if you want to team collaborate without trusting the administrator.
If the administrator is centrally managing emails, the administrator can initiate the recovery himself and view the master password reset emails that are sent to the user. Even if the administrator is not malicious, the same situation can occur due to threats, fraud, and email system attacks.
To prevent this, I propose an Account Recovery opt-out feature.
When opting out, access from 1Password employees, law enforcement agencies, etc. must be prevented.
The Dashlane implementation is a good reference.
It is also a good mechanism to allow recovery requests and recovery only from the device, not email.
Please improve according to this.
Thank you.
Comments
-
Hi @poorfuse7
Thanks for the suggestion. :+1: We don't currently have any plans to change this, but I'll pass the feedback along to our development team for their consideration. We do discuss the risks associated with the design of recovery in the "recovery risks" section (pg. 40) of our 1Password Security Design White Paper, along with some recommendations on mitigating those risks.
Ben
0 -
Thank you for your sincere reply.
The current best practice seems to be to set up each mail service that users trust.
I will wait patiently.
0 -
@poorfuse7, on behalf of Ben, you are very welcome!
Have a wonderful day :)
0
