Feature Request - Time-delayed shared vault?
x-posted w/ Reddit. Figured this is probably the better place to ask
Background: Interested in setting up 1Password for the family. Read other links about how setting up emergency access similar to Dashlane or LastPass is a no-go for 1Password. Also looked over the "restoring access" part of the white paper - but tbh am not super technical so probably don't understand a lot.
Question: Has there been any discussion about a time-delayed shared vault? The white paper says "the server prevents a member... from obtaining vault keys". So couldn't the server allow someone to access a shared vault using the group's public key? While account recovery requires an action from the original user, could it be flipped so the shared vault allows access if the original user doesn't take action after a certain amount of time? I.e. A hides her email username/password in a time-delayed shared vault that is shared with B. A becomes incapacitated. B requests access to that time-delayed shared vault. After x amount of days, B receives access to that shared vault.
Thank you! Apologies if i missed a previous thread that covered this, or if it makes 0 technical sense.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @as3adtintin
It seems the difficulty with what you are proposing is that it would require the server to hold the encryption keys 'in escrow'. It is possible there is another way to do this, but I can say with some certainty that we don't want to build features that would require us to have access to customers' keys. All the same I'll pass along the feedback to the dev team to see if this is something we can accommodate.
Thanks!
Ben
0 -
Hmm. Thanks, Ben, for that quick response (checks watch)!
Maybe I'm misunderstanding the recovery section of the white paper, but doesn't the encrypted shared vault key (Rv) live on the server? Wouldn't it be pretty much the same as the current recovery process, until step 6/7? And similar to step 9, Bob could decrypt Rv and then use the decrypted vault key to access the shared vault? And then the vault would be treated like a normal shared vault with a copy of the vault key encrypted w/ Bob's public key.
0 -
I think there may be some confusion here on public vs private keys, but I've asked our security team to review and provide a more substantial response. :)
Ben
0 -
Ok, look forward to their response. Thanks, Ben, for the follow-up!
0 -
Oh, this is an interesting idea. In a sense, the server would detect a certain time of inactivity, and then would initiate, on its own, what looks like a later step of the Recovery process. It also would need to allow the member take over to go to a different email address.
There are obvious risks to this, but those can be chosen by those opting into the feature. But there are some not so obvious risks that we would have to work to avoid. For one thing, we would need to optin for the feature to cryptographically signed. We’d also have to see whether we make the group distinct from the Recovery Group.
We’ve also tried to separate metadata like “last activity” from the core user data, so that we have principled controls and limitations on what can talk to what data. But we do have data flow in the needed direction for report generation. Still report generation is a nicely sequestered activity, and we’d need to punch a hole in a wall for this.
It would take a fair amount of analysis to look at what new opportunities for abuse and attack this might offer. But this is a really cool idea to think about.
0 -
Thanks for the reply @jpgoldberg ! My thought was that Bob would request access, and then the server would detect a certain time of inactivity - but otherwise I think the same as you wrote. Either way, seems like the risks you outlined would be similar.
Anyways, I appreciate the 1Password's team's time in help me understanding how your the recovery process works and could work.
Just another user thinking about moving from LastPass but would miss something like their emergency access feature. Stay safe! Best,
as3adtintin0 -
Thanks for the feedback on this situation @as3adtintin. :)
Ben
0 -
@as3adtintin i too have been weighting up which service to use .. and on the isssue of emergency access,
i have come up with a plan that could be implemented now, and allow for change latter...
using a 'dead-mans-switch' type email, using either a 3rd party service, or googles built in one ( https://myaccount.google.com/inactive )
so if your using an android you would already have this facility open to you now for free...so you can set that at 3 months, it gives the option of adding email address((s) to send custom message once triggered
so within you chosen msg would be say your secret key, along with a way/location of your master key... (so they are not kept together!)
or if you wanted to be even more secure, half of the secret key, with other half in Will, and instructions for obtaining master pass (its hidden location, user/pass of a online location etc etc)0