family organiser - recovery weak point

blacknell
blacknell
Community Member

I have a question about security related to vault recovery.

My understanding is that if someone can gain access to my email (as the family admin) then they can recover any of the family vaults. I know that email is essentially one of the most valuable assets to a hacker as, with it, they can initiate password recovery on websites etc.

That said, even if I take very strong measures to secure my email account, if someone who gets hold of my device they could access my email.

I'm very nervous about this. I'd like to dry-run recovery of a vault of one of my family members, because as I understand it, they will be notified of the recovery.

So I need your guidance.

1a. What are the steps needed to recover one of my family's vaults? I'm going to have my son create a new private vault as the test case.
1b. I'd like to do this with my son initiating so that is the real world scenario
1c. I'd like to recover it myself and see how he gets notified and how he can stop it

  1. What is the best practice for a family administrator to secure his/her email. I already use a secure password (stored in 1P) and also OTP (stored in 1P). My phone is Pin locked with FaceID. My Macs though? How to handle?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • SvenS1P
    edited May 2020

    Hi @blacknell, recovery can't be initiated from an email account; a family organizer must sign in to their account on 1Password.com first in order to start recovery. This means that you have the full protection of your Secret Key and Master Password — we aren't able to start recovery on our end because we don't know your Secret Key nor your Master Password. Only a family organizer can begin recovery, so if someone would like their account recovered they'll need to contact one of the family organizers for the account outside of 1Password. Following on from this, a family organizer that would like to have their own account recovered will need to contact another family organizer to go through the process with them.

    The whole process can be split into three stages:

    1. Initiating recovery (family organizer)
    2. Obtaining new sign in details (person having their account recovered)
    3. Completing recovery (family organizer)

    To initiate recovery:

    1. Sign in to your account on 1Password.com.
    2. Click People in the sidebar.
    3. Click the name of a person, then click Begin Recovery below the person's name.

    To obtain new sign in details:

    The person who is having their account recovered will receive an email after you initiate recovery with a link that will give them a new Secret Key and asks them to set a new Master Password. You'll always get a new Secret Key even if you knew the old one, but you can always choose the same Master Password during recovery.

    To complete a recovery:

    1. You'll be notified by email that a recovery is awaiting completion once someone has got their new Secret Key and Master Password. Click "Complete account recovery" in the email.
    2. A page will open in your browser with the person's details. Click Complete Recovery.

    Once you've completed recovery, the person that just had their account recovered should download their new Emergency Kit and sign in to their account again.

    Our support guide includes a video if you'd like to see the process visually before trying it out.

    As for your email account, it sounds like you're already taking the steps needed to protect it! One other thing to keep in mind is that you should only sign in to your email account (and for that matter, your 1Password account) on devices that you trust.

    I hope that helped answer your questions, but we're here for you if there's anything else we can do :chuffed:

  • gadget78
    gadget78
    Community Member
    edited July 2020

    just as a clarification, and maybe this needs to be a warning if true??
    if the account that needs to be recovered, has their email password
    (and maybe their 2FA for their email, so not possible to remember!) stored on 1pass,
    and ONLY stored in 1pass..
    would that mean, as they are not able to log into their email account, they are not going to be able recovering their account ??

  • @gadget78: If someone is unable to sign-in to their email account then recovery won't work for them. Without access to your email account then we can't check that it's actually you that wants to recover your account. Recovery is definitely a useful tool, and it's allowed me to gain access to my items again in the past. There are a few limitations to it though, so we'd always recommend storing your Emergency Kit somewhere safe too. That way you can sign in again without needing to recover your account.

  • gadget78
    gadget78
    Community Member

    indeed, does create a paradox, not able to gain access as i you need access to email info !
    dont think people realise how important email actually is ! ..
    most passwords are only as good as your email security for example ! ..

  • ag_ana
    ag_ana
    1Password Alumni

    That is true @gadget78, email security is very important, since a lot of recovery mechanisms use it to help you recover access :+1:

  • prime
    prime
    Community Member

    @ag_ana

    That is true @gadget78, email security is very important, since a lot of recovery mechanisms use it to help you recover access

    But I don't see how this is an issue, not even a family organizer can recover his own account with just an email address. This is my wife is one also. A person can hack my email, and there is still no way for them to get into my 1Password account. Am I right?

  • ag_ana
    ag_ana
    1Password Alumni

    @prime:

    In the case of 1Password, this is correct: you need both the Secret Key and the Master Password to login, which you cannot recover by yourself. But in general, for other accounts, having access to emails is a problem, because you could request password resets, and if you have access to the email, you can gain access to a lot of accounts connected to that email.

  • prime
    prime
    Community Member

    @ag_ana

    In the case of 1Password, this is correct: you need both the Secret Key and the Master Password to login, which you cannot recover by yourself. But in general, for other accounts, having access to emails is a problem, because you could request password resets, and if you have access to the email, you can gain access to a lot of accounts connected to that email.

    This what I figured about 1Password. THANKS!

  • Hey Prime,

    On behalf of Ana, you're welcome.

  • BBBB
    BBBB
    Community Member

    If a family members email account is compromised or hijacked, what options do we have for helping them recover 1Password access? It seems family organizers should be able to send recovery information to a backup email address.

  • ag_ana
    ag_ana
    1Password Alumni

    @BBBB:

    If a family members email account is compromised or hijacked, what options do we have for helping them recover 1Password access?

    They would need to restore access to their email account as soon as possible. This is not just for 1Password, but in general someone with access to your email can do a lot of damage, so it's important to get that issue resolved first.

  • BBBB
    BBBB
    Community Member

    I would like to see a recovery/authentication option that does not rely solely on a single email account. What if the email host goes out of business or is experiencing an extended DoS attack?

    Users should be able to have a backup email address for recovery.
    Option to create a one-time "recovery key" for emergency use.

  • Thanks for taking the time to share your thoughts here @BBBB. I'll pass those suggestions along to our security team for review and consideration.

    Ben

This discussion has been closed.