Recovery Administrator best practices for email admins
I am evaluating the security of our 1Password Teams account and think I've run into an issue.
My Recovery Administrators are also email administrators for our domain and so they (or a compromised account) could take over any other team members 1Password account. I tried to change the email address on my account for this reason and was unable to. Am I able to add an admin-only user? Is there a better idea?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @headhertz
Thanks for taking the time to write in. I'd be happy to help with these questions.
My Recovery Administrators are also email administrators for our domain
This is fairly typical. Many organizations have an IT / devops department that is responsible for both areas.
and so they (or a compromised account) could take over any other team members 1Password account.
Yes, this is true, and in some organizations is desirable (e.g. in the event a terminated employee had stored important credentials in their Personal vault instead of a shared vault). Generally we recommend that end-users consider any data stored in a business membership to be considered the property of the business. Non-business data should be stored in a separate membership. Things we would recommend storing in the personal vault of the business membership are business related items that are unique to the team member, such as their email account credentials, voicemail PIN, etc. Our 1Password Businesses plan includes a 1Password Families membership for each team member for the purpose of storing items that are not work related. An admin on the business account would not be able to recover accounts within the 1Password Families membership — the two are independent except for billing purposes.
Link a family account to your business account
As far as one of these admin accounts being compromised... what do you imagine the attack vector being? We may be able to make some suggestions as to how to mitigate the risk. For example, do such admins have MFA enabled for both 1Password and the management of your email system? If so it seems an attacker would need both access to an admin's computer as well as their 1Password Master Password and their email system management password (which should be different).
I tried to change the email address on my account for this reason and was unable to.
You may need to adjust the "Allowed Domains" setting on the Invitations page of your dashboard if you want to allow folks to use email addresses from outside of your work domain. Before doing so I'd recommend evaluating the risks associated with that as well:
https://start.1password.com/invitationsAm I able to add an admin-only user?
I'm not sure what you mean by an 'admin-only' user. Could you please clarify / elaborate?
Ben
0 -
Hi, @Ben! Thank you for your reply.
Sorry I missed the Allowed Domains setting. I looked but could not find it. I believe I understand the tradeoff between the inability to recover a departed user's account and the ability to take over an account. I wish for a better solution.
We do use 1Password Families for personal items. The concern is more closely related to the area of privilege escalation.
I would say that the most likely attack scenario is through malware on a workstation. With full system access it seems that an attacker could gain access to an unlocked vault and haul any passwords contained therein. That could lead to the discovery of a users 1Password password and key (I keep mine there for convenience). As though that wouldn't be bad enough, the attacker could also gain access to credentials that could be use to intercept mail (mail gateway, mail server, DNS server, registrar, network gear, etc.) which could then be used to take over other team-members' 1Password accounts that have access to more critical credentials.
One way to mitigate this would be limiting who has permissions to initiate recovery of 1Password accounts but we are a small team and there is safety in numbers in case one of us gets legitimately locked out. Some of us use MFA but it is not currently required. I believe that requiring MFA for every recovery would defeat an attack such as this.
By Admin-Only, I meant a user that is only a Recovery Administrator and does not incur a licensing cost.
0 -
Sorry I missed the Allowed Domains setting
No worries. Admittedly I had to pull up my account and look to remember where it was too. ;)
I believe I understand the tradeoff between the inability to recover a departed user's account and the ability to take over an account. I wish for a better solution.
Fair enough.
I would say that the most likely attack scenario is through malware on a workstation. With full system access it seems that an attacker could gain access to an unlocked vault and haul any passwords contained therein. That could lead to the discovery of a users 1Password password and key (I keep mine there for convenience). As though that wouldn't be bad enough, the attacker could also gain access to credentials that could be use to intercept mail (mail gateway, mail server, DNS server, registrar, network gear, etc.) which could then be used to take over other team-members' 1Password accounts that have access to more critical credentials.
Alright, so let's evaluate this for a moment... If the concern is malware and privilege escalation, and the perceived target is your IT department (or whatever your organizational equivalent is)... wouldn't the malware on their systems be able to do that regardless of 1Password being a part of the equation?
One way to mitigate this would be limiting who has permissions to initiate recovery of 1Password accounts but we are a small team and there is safety in numbers in case one of us gets legitimately locked out.
Agreed. I tend to encourage more recovery capable folks than less, with a point of diminishing returns (which then eventually reaches a point of absurdity). I once interacted with a team which had added the "team members" group to the "recovery" group, thus making it so anyone could help recover anyone else's account. I advised that probably wasn't the best way to meet their goals. :)
Some of us use MFA but it is not currently required. I believe that requiring MFA for every recovery would defeat an attack such as this.
That may be something to consider then. You can enforce MFA with Advanced Protection:
About 1Password Advanced Protection
Though I don't think MFA would actually stop a malware infection on an IT admin's machine from doing anything that it wants to do.
By Admin-Only, I meant a user that is only a Recovery Administrator and does not incur a licensing cost.
Ah. Not at present, no. The idea being having a recovery account that nobody is using routinely, but is only logged into when someone actually needs recovery performed? I can certainly pass the idea along to the team.
Ben
0 -
@Ben, Thank you for your thoughts on this issue.
Alright, so let's evaluate this for a moment... If the concern is malware and privilege escalation, and the perceived target is your IT department (or whatever your organizational equivalent is)... wouldn't the malware on their systems be able to do that regardless of 1Password being a part of the equation?
"Do that" as in leverage a compromised vault to take over everything in any team members' password vault? No, I think that is unique to online password vaults. Perhaps even to 1Password when Recovery Administrators can gain access to any email for a domain?
That may be something to consider then. You can enforce MFA with Advanced Protection:
True. I believe we are moving that direction, however MFA is only required for new device registrations and unable to be required for specific actions that I can see. In my example it would be trivial to borrow the cookie from a previously authenticated browser or to execute the attack using the previously authenticated browser on a victim workstation. Ideally, I would like to specify that all browser sessions require MFA or that all recoveries require MFA (even if that browser has been used before) in the Advanced Protection window.
Though I don't think MFA would actually stop a malware infection on an IT admin's machine from doing anything that it wants to do.
I am not sure I agree with that if "anything that it wants to do" includes taking over other team members' vaults and initiating a recovery requires MFA.
0 -
@headhertz: What Ben means is that malware on an admin's machine would allow the attacker to do anything that admin has the power to do, by using their access. Two-factor authentication would prevent the attacker from being able to sign into their 1Password account if they captured the Secret Key and Master Password, butter position they could instead present the admin user with a fake two-factor challenge and use the code themselves when the admin user provide it. While not all malicious actors are skilled and intelligent, we should not count on them not being so. Someone targeting your organization is probably motivated. To clarify, 1Password does not use "cookies" to maintain authentication. Someone in that position would not need anything like that anyway, since they can capture your data or credentials as you use them. Two-factor authentication just prevents them from using it to sign in at a later time. None of this is specific to 1Password, though obviously in the context of this discussion that's your concern; we shouldn't lose sign of the fact that security hygiene affects any of your sensitive data. An attacker gaining access to one of your admins' email accounts would likely be devastating regardless of what other software you happen to use.
0 -
Two-factor authentication would prevent the attacker from being able to sign into their 1Password account if they captured the Secret Key and Master Password, [but in their position] they could instead present the admin user with a fake two-factor challenge and use the code themselves when the admin user provide it.
I can agree with that to an extent. It would force the attacker into a realtime attack when the second factor is present however so I would not say that the added security would be pointless.
Someone in that position would not need anything like that anyway, since they can capture your data or credentials as you use them. Two-factor authentication just prevents them from using it to sign in at a later time.
Agreed.
None of this is specific to 1Password, though obviously in the context of this discussion that's your concern; we shouldn't lose sign of the fact that security hygiene affects any of your sensitive data. An attacker gaining access to one of your admins' email accounts would likely be devastating regardless of what other software you happen to use.
What IS specific to 1Password, and perhaps also other password management systems with recovery capability, is the ability to leverage the recovery mechanism to take over OTHER VAULTS. In our organization the front-line Techs need to be able to work on email issues. They also occasionally meet compromised computers. This essentially means that they cannot also be allowed the Recover Accounts permissions in 1Password.
0 -
@headhertz: I don't believe I said "pointless". It's just important too keep in mind what sorts of attacks two-factor authentication can protect against, and those it does not. :)
What IS specific to 1Password, and perhaps also other password management systems with recovery capability, is the ability to leverage the recovery mechanism to take over OTHER VAULTS. In our organization the front-line Techs need to be able to work on email issues. They also occasionally meet compromised computers. This essentially means that they cannot also be allowed the Recover Accounts permissions in 1Password.
It's not specific to 1Password though, because many, many people use 1Password in families and businesses which do not have that same risk. It arises only if you're giving the same people who effectively have access to everyone's email accounts recovery access as well. I'm not saying those are bad people and they shouldn't be trusted or anything, as even if they are the most trustworthy colleagues you have it doesn't matter if one of them gets infected and is used as an attack vector. Everyone makes mistakes, and identifying "synergies" like this allows you to structure and compartmentalize to reduce risk in your company. :+1:
0 -
the ability to leverage the recovery mechanism to take over OTHER VAULTS.
I understand where you're coming from, but in most of the organizations I've dealt with if someone is both a 1Password recovery member as well as an administrator for the company's email system... they are probably also an admin for most if not all of the other systems people would be storing credentials for. In any event, as brenty alluded, you may wish to split the roles of your IT team such that one individual never has both recovery abilities as well as email admin abilities if this is a concern to your organization.
Ben
0 -
Thank you, Gentelmen, for your thoughts on this. Would you allow me a related follow-on question?
Cryptographically speaking, do recovery administrators have access to all team vaults and only the inconvenience or accessing them with other tools or are recovery administrators somehow cyptographically separated from those items and forced to go through the recovery/intercept process to take over a vault?
I'm thinking about the value of an administrators' email domain that hosted and managed outside the control of our Recovery Administrators.
0 -
Thank you, Gentelmen, for your thoughts on this. Would you allow me a related follow-on question?
You're very welcome, and yes of course you're welcome to ask any questions you have. :)
Cryptographically speaking, do recovery administrators have access to all team vaults and only the inconvenience or accessing them with other tools or are recovery administrators somehow cyptographically separated from those items and forced to go through the recovery/intercept process to take over a vault?
Recovery administrators have all the keys to the kingdom, cryptographically speaking, but policies enforced on the server prevent them from accessing or using those keys except as allowed by their role. This same type of policy is what prevents users who have read-only access from making changes in a vault. These types of controls are considered the second strongest of the three types we have: those enforced by cryptography are the strongest, followed by those enforced by the server, and then those enforced by the client apps. In some cases there are multiple layers of enforcement happening. E.g. just because something is protected by cryptography doesn't mean we don't also build enforcement for it into the other layers.
Pages 33 – 43 of the security design white paper cover this in more detail:
1Password Security Design White Paper
I'm thinking about the value of an administrators' email domain that hosted and managed outside the control of our Recovery Administrators.
There may be some value in that. :)
Ben
0