Too much power in the hands of a family manager

Hey everyone,

I recently converted from Lastpass over here and found that the concept of the family manager is very different than in the red world. In the 1PW universe, it seems that the Family Manager is the dictator that can easily take away the digital identity and family members, I believe, are not even aware of the amount of power that they give to the Family Manager.

I strongly believe that it should not be so easy for the Family Manager to delete Member accounts and individual Vaults (they are not property of the family manager, but the individual). Instead, should just become independent accounts upon the removal from the family (of course with their own billing).

I say this as the Family Manager.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Family Manager is not a dictator, he is the product owner. He has no means to look at family members's logins, but he is responsible for managing accounts.

    Removed family accounts turning into individual accounts with their own billing is not logical because they are linked to family manager's account. Considering all members are 'family' members, in case of deletion of account gonna happen, family member can simply export their vault, create a new individual account and import backup.

    Remember you are not managing a business account but a family account.

  • ag_anaag_ana

    Team Member

    Hi @mauh! Welcome to the forum!

    Thank you for the feedback!

    Instead, should just become independent accounts upon the removal from the family (of course with their own billing).

    This is an interesting suggestion. I am not sure how feasible this is technically, and also how it would look like from the family member's perspective (what if they don't want to subscribe?), but I can understand how the idea would be useful :+1:

  • Some critical questions:
    Does the family member know, that the family manager has the power to delete your account at any time?
    Should the family member be able to delete the complete individual vault of any person at any time what basically is the keybox to your whole digital identity? If I recall correctly there is no way for the individual to restore their data.

  • My Suggestion is to give people, whose account was deleted a 1-month trial and let them decide themselves/or at the very least back up their things.

  • ag_anaag_ana

    Team Member

    @mauh:

    If you have reason to believe that a family organizer might be malicious and delete your account without warning, we recommend using your own separate Individual account, so you are the only one who can manage it. The idea behind a Families account is that there should be a layer of trust among family members. I understand that might not always be the case, but if that's a risk in your case, using separate accounts is probably going to be the best choice.

  • I would agree with @mauth. Currently 1P doesn't trust the family organizer to have other users credentials or access to their private vaults. This is how it should be, they are organizers not root level admins.
    So if individual family members privacy is as important as 1P seems to imply via these policy's, then shouldn't their private vaults security to exist fall into the same category?

    All family members should be assured that their private vaults are theirs, with both the contents and existence secure. Domestic abuse and violence is a real thing. Don't let 1P be used as a potential tool against others.

  • BenBen AWS Team

    Team Member

    @BBBB

    Domestic abuse and violence is a real thing. Don't let 1P be used as a potential tool against others.

    This is something we're aware of and have made some recent changes with this in mind.

    Currently 1P doesn't trust the family organizer to have other users credentials or access to their private vaults. This is how it should be, they are organizers not root level admins.
    So if individual family members privacy is as important as 1P seems to imply via these policy's, then shouldn't their private vaults security to exist fall into the same category?

    I think the organizer, as the person paying for the account, ultimately needs to have the ability to stop paying for it. But perhaps in that case we could have some option where a member could take their Personal vault and spin it off into a new individual membership. Something for our product managers to think about. :+1: Thanks!

    Ben

  • Thank you for the reply and the consideration by the product team. I understand that the customer should be able to stop paying for something he doesn't want to. As Family Manager (and also 1PW Business User) I get that. I would like you guys to also consider the needs of your Users (Family Members) and not just the Customers.

    There are quite a few issues with the current situation:

    Potential for Abuse, as pointed out by a poster above.

    Potential for Accidents, as written in another thread on this forum:
    https://discussions.agilebits.com/discussion/115348/what-can-i-do-with-my-deleted-account

    Potential for Breach, imagine a third party getting access to a Family Manager account. Ouch.

    In my opinion we are just waiting for a catastrophe to happen. As always in Cybersecurity, it is not about if - it is about when and how prepared the systems are. Although the error will be ultimately human, 1PW as of now is not doing enough from their end to mitigate.

  • ag_anaag_ana

    Team Member

    Thank you for the feedback @mauh!

    Potential for Breach, imagine a third party getting access to a Family Manager account. Ouch.

    I am curious about this though: isn't this an inherent risk for every manager account, in every service? For example, imagine that we made all the changes that you are suggesting, so that the family organizer cannot do anything anymore. Someone must be able to still delete the account or unsubscribe though, and that will certainly still be the family organizer (since they are the ones who created the account and subscribed in the first place, that permission should not be removed from them).

    So if a family organizer account gets compromised, the third party could always do damage by deleting the account altogether anyway, as an example. I would be interested to hear your thoughts on this, as to how what you are suggesting would protect against a third party accessing a family account. Did you have anything specific in mind?

  • Absolutely. The issue is that first of all, 1Password is not just any service, it is ultimately an identity provider for the internet (and beyond).

    About Trust:
    You said earlier that there should be an inherent trust in the family manager, and I get that. I am arguing that I shouldnt have to trust a family manager to that extent in the first place. Why am I able to wipe out a families members digital identity, just because I am the one that yields the credit card?

    My suggestion is what I have said from the start, protect individuals account instead of putting this responsibility with a family manager. I know that they are not your customers, just users. But anyway?

    About Consent:
    I have asked my significant other if she actually knew about the power I yield, and (unsurprisingly) she doesn’t. To make this actionable, I would propose to introduce a consent screen where a Family Member is informed about what he can and cannot do to their account. I would say that there certainly are situations, where it may be uncomfortable to give the father, husband, geeky brother (let’s be real - family managers are mostly men) this kind of power. This is easy to implement as well.

    About third party access: Youre doing a great job, but I think we all know that there is no perfect system. Don’t make me an all-wielding admin. Restrict me and keep everyone safer.

    For Context: I am saying all this as a Family Manager, that also manages a Company Business account. Maybe unsurprisingly, the experiences are pretty much the same.

  • ag_anaag_ana

    Team Member

    Thank you for the additional feedback @mauh, that's very useful! I wanted to understand your thoughts on third party access more, but I think I see what you mean. Restricting the power of a family organizer would not help you in that specific case (a family admin will always be able to delete the entire account), but we can certainly look at ways to limit its power when it comes to individual user account within the Families if we can :+1:

  • @mauh makes some very good points, IMO.

    An account's FO should be able to effect immediate freezing of all account data but should only be allowed initiate a REQUEST for deletion of all member data and account existence. Non-FO members would then be notified that deletion of all their private data has been requested and is pending. Should any, some, or all such members AGREE with and acknowledge the FO's deletion request, their private data would be deleted immediately as would their continued participation in the family account. Vaults shared between all or some members would require the approval of each of their members before deletion is performed, giving those members an opportunity to safeguard such data by moving it into their private vaults. Should any or some members DISAGREE with the FO's data/account deletion request, they would be given a time-limited option to open their own personal account at their own expense into which they could migrate their private data. Once the time limit expires, all vaults and data associated with the Family account would be deleted.

    This is only a general framework for protecting family members from precipitate action (intended or not) by one or more account FOs. I'm sure there are plenty of holes to be filled (and possibly some irreconcilable conflicts lurking in the details), but it's a start and is intended as food for thought.

  • BenBen AWS Team

    Team Member
    edited September 14

    That's an interesting thought @willakz. I'm not in a position to make any promises about what future changes we might make within this regard, but personally I very much like the idea of giving family members the opportunity to spin their data off into their own individual membership when a Family Organizer deletes the family membership. I think there are perhaps some pitfalls when it comes to parent-child (minor) relationships... but maybe that's an implementation detail.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file