Private account when both my wife and I both have family organizer access?

Seneca
Seneca
Community Member

In the past, the help here has been excellent.

I've been looking around here today and have not been able to find an answer to my question. I appreciate any help you can provide in advance.

Many years ago, I started with a One Password Account. About two years ago, we went to a family account, which pretty much was used like the old one password account were both my wife and I have access to the master password for the primary vault that we moved over.

Here's what I'm looking to do. I'm starting a new job in January, and one of the best practices is that login passwords be kept separate from our family passwords is there a way to set up a vault in the family ecosystem where I would only be the one that would have access to the vault. It looks to me like whoever has master password access would be able to access all the vaults or review all the vaults at the same time.

Currently, my wife and I both have master password access, which effectively gives both of us keys to the entire kingdom. What would be the best method to allow my wife to have access to all of the vaults except one and have other accounts for my children again that we would be able to access and one separate account that only I would have access to?

Any help or resources that you could provide be appreciated.

Happy new year!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • @Seneca

    To correctly set up this type of scenario, you would have to break up the kingdom. It would start by creating additional users. Each user would need separate account logins, with Master Passwords, and they would need individual OS user accounts for Mac/PC. Log them out of their respective devices and set up those devices with their newly created account credentials. You would create a vault that only you can access for those work items. Place any items that you wish to share in a shared vault between the accounts.
    If this is something you wish to pursue, you would likely want to review this link.
    https://support.1password.com/family-sharing/

    • I am going with the assumption that you are using a single account on all or your devices. You may already have additional user accounts setup.

    It's something you can accomplish with a little resolve. The wife and I did it quite a few years ago. I would suggest working with one user account and getting it working correctly on one device. From here, add additional devices as needed for the user, and finally adding in the other users and their devices.

  • Seneca
    Seneca
    Community Member

    I appreciate the reply.

    So under a family plan, there's no way to create a vault that the group organizer would not have access to?

    Looking at the Apple interface on my Mac, it seems like there would be issues with rolling back from a family plan to two single different accounts in the same user account on my Mac. I really would like to have my wife have access to everything except one of the vaults. We share the same user account on the computer for a number of different reasons. We also have the same Apple ID enabled on two iPhones for the same reason as well. There's a lot of reasons that we have this set up I won't go into all of them, but for example, she regularly updates many of the credentials in my account, so I would want her to have full access except for one vault.

    If we set up user accounts as you suggested above and she was not the group organizer, if she changes a shared item, would that update to my vault if she was not the group manager?

    Even though we've had this family account for almost 2 years it still operating like a single user account.

    I'm open to any suggestions.

    Would it be even better to consider a second password manager?

  • Let's try to clarify a few things. That were likely assumptions on my part.

    Would you be accessing the work vault from any device she has access to? Or would you only be accessing that vault from a work computer, and your personal mobile devices?

  • Seneca
    Seneca
    Community Member

    I am going to be doing remote support for a legal and tax firm from my home office. Security and confidentiality, including the legal concept of privilege, apply to what I will be doing. I currently already work in this area, so I'm pretty comfortable with our current level of cybersecurity for my business. My wife is my assistant in our other business, so in that, so the role she would have access to our documents, and the principle of "work product" would still apply. This means a court would not be able to order her to produce a document or login that I would be protected from producing. But my new employer does not want her to have access because that legal privilege would not apply to her, only me as an employee. The firm does not employ her. Hopefully, that makes sense.

    My wife would have access to my mobile phone but would not regularly use it. She knows the passcode and obviously knows the one password master password to our family account.

    As for the desktop, it would be on a home office iMac that we both use the same user account. So again would have access to an administrator's account and theOne Password login.

    What I'm trying to do is have a secure encrypted vault that she would not know the password to comply with my new employer's request. I am not enthused in any way of establishing a second user account on my iMac, which would involve a lot of work when a second encrypted vault that only I would have access to put passwords and documents etc. would solve the problem.

    It looks to me on the Mac computer, or on iOS, you can only have one account of one password to log into, so I don't even have a solution for having two separate one password accounts on in the same user account on either my iPhone or Mac.

    I know I'm probably an odd use case. Still, I like One Password and was hoping we could find a solution other than creating an encrypted disk image with files in it, etc. thus not allowing me to access items on my iPhone or iPad, particularly logins. A very kludgy solution.

    **This is not going to be a large account. It only going to be about 1/2 a dozen logins and a small number of documents as we have a file sharing app for the majority of the documents that I will be interacting with for the firm. For example, the login credentials for the filesharing site and my new employer's website is precisely what I'm looking to use the separate vault for. I'm not allowed to keep those even an Apple keychain if anyone else has access to the user account. **

    Again hopefully, this all makes sense.

    I really appreciate your help and follow-up. Thank you.

  • Lars
    Lars
    1Password Alumni

    @Seneca - hey there. I totally understand both your legal need to keep things appropriately segregated between work and personal life, as well as your desire not to have to do a ton of work to set things up differently than they are now. Unfortunately, I think you may have reached an impasse where either one of those things is achievable, but not both.

    When it comes to 1Password Families accounts, as ag_tommy mentioned, the usual way to keep things separate is to have the person who sets up the account (the Family Organizer -- you, in this case) invite other family members to join you. They set up their own account as part of the overall 1Password Families account, and they have their own Secret Key, Master Password and also their own Private vault. I share nearly everything with my wife as well...but there are still some items that are just better-segregated into Private vaults. For example, we each have a Twitter account and a Facebook account. If we did not have separate Private vaults, then there would be two Logins called "Twitter" or "Facebook" in our vault. Not only would that mean that every time we used ⌘\ or clicked the browser extension while on the login pages of either site, instead of getting our data filled, we'd have to select from a choice of two, but also, having two different Login items named the same thing would be confusing, forcing us to edit the names of the items ("Twitter - Lars", etc) or live with the ambiguity. We DO - and you can - keep many if not most of our items in the Shared vault, which all family members have access to. That allows the same kind of "shared access to (nearly) everything" that you were describing, but still keeps certain items in Private vaults, to avoid confusion.

    The other huge benefit of doing things this way is that you can create a new vault and invite only yourself to it. No one else on the account would have access to that vault. That would satisfy your employer -- provided your Master Password was different from your wife's (and it should be, for this and other reasons). However, you wouldn't be able to share the same user account on Macs and iOS devices that allow Touch or Face ID, as that would once again break the requirements for confidentiality. If your wife (or anyone else) can access your Mac or iOS device with a fingerprint and unlock 1Password the same way, then the vault is not truly private to you only.

    There is no mechanism within 1Password to prevent this; you can't really both share and not-share something with another person simultaneously. If you give someone access to your own 1Password account/vault by either telling them your Master Password or allowing them biometric access, then...they can see/use/do everything you can. I agree your proposed alternate solution of creating an encrypted disk image that you couldn't access on other devices would be a kludgy solution indeed. From where I sit, it would be at least as easy and, once completed, much more flexible and useful, to bite the bullet and create a separate user account for your wife on various devices (I presume she does have her own phone or other iOS devices), and invite her as a separate family member with her own Master Password, Secret Key and Private vault. Hope that's helpful, even if it's not exactly what you were looking for.

  • Seneca
    Seneca
    Community Member

    I appreciate the detailed responses. Let me switch gears a little bit.

    Is there a way for me to take my primary vault, which my wife and I have used for over 10 years and make that a shared vault that we could access on all of our devices, and I could as the family organizer have a separate vault/user account for these work credentials?

    It appears to me when I log into the account under our master password that you would always have access to all vaults as the family organizer. Is there a way to demote the primary vault to a user account ( not family organizer), change the master password as the family organizer and have my wife and I regularly log into the primary vault with the a new primary vault password as we were both the same person but not the organizer?

    For example create a different user account on my mac make that the family organizer account which then could have a separate vault and then my wife and I could continue to login to our old primary vault as if we were the same person just accessing the information from different devices.....2 iPhone's, iPad, iMac, and MacBook Pro under the same user account and Apple ID? I am thinking that I could be the family organizer in a different user account. I know the downside to this is that I would not have the login credentials on my iPhone and iPad, for example, but we do have an old iPhone that I could set up with as an Apple ID under that Apple ID/user account.

    If so, you point me to a thread or post that would tell me how to do this?

  • ag_ana
    ag_ana
    1Password Alumni

    @Seneca:

    If you are planning on using a Families account, have you considered simply creating two different users within the 1Password Families account, and sharing the Primary vault only with the second account?

  • williakz
    williakz
    Community Member

    I'm guessing one source of confusion may be between full (excluding Private) vs. self-restricted access to member-created vaults and their contents exercisable by Family Organizers.

  • Seneca
    Seneca
    Community Member

    Hi ag_ana!

    Thank you for the suggestion.

    As I am sure you know when I open 1password, you have access to all vaults as the family organizer.

    My wife and I share the same user account on the Mac's and are both logged in under the same Apple ID with 2 iPhones, an iPad, iMac, and MacBook Pro under the same user account and Apple ID. This means typing in our Master password gives us both access to all vaults.

    I have not found a way to have a separate vault segregated from the main vault. That's why I suggest above creating a create a different user account on my Mac, make that the "family organizer" account with a new Apple ID, but I am not sure this is going to work as planned especially with the IOS devices. I am not sure if the IOS devices are going to get cranky about logging in and out of 2 apple ID's regularly. Thoughts?

  • ag_ana
    ag_ana
    1Password Alumni

    @Seneca:

    I have not found a way to have a separate vault segregated from the main vault. That's why I suggest above creating a create a different user account on my Mac, make that the "family organizer" account with a new Apple ID, but I am not sure this is going to work as planned especially with the IOS devices.

    I don't think you would necessarily need a second Apple ID, but for sure you will need separate user accounts. The way you currently have things configured, you are basically authenticating as a single user to your devices, so your Macs and iOS devices see you and your wife as the same person, with no separation of data.

    Once you have multiple user accounts, you can install the 1Password apps in each user account, and create two users in the Families account too (one for each of you). This way, each of you will be able to login to their own, separate 1Password app, and their own set of vaults (which won't necessarily be the same one as the Families organizer anymore).

This discussion has been closed.