1PW and Succession Planning, etc.

edited March 24 in Business and Teams

We actively use 1PW in our business, and are going through a bunch of "what if?" scenarios and succession planning. One of the key things here is "what happens if some key person gets hit by a bus?" and one of the things we are focusing on is the ability to recover access credentials to critical systems. I want to make sure we are going about this correctly.

What I've done is I have added three trusted individuals to the "Owners" group in 1PW. My understanding is that, with these permissions, they should be able to retrieve pretty much anyone's 1PW account in the case of sudden illness or death. Is this correct, or is there some other method(s) we should use here to invoke this sort of thing?

Sorry for the morbid, if important, post.


1Password Version: 7
Extension Version: 1.23.1
OS Version: 11.2.2
Sync Type: Not Provided

Comments

  • ag_maxag_max

    Team Member

    Hi @sidneyvanness,

    You're bringing up a very important topic for discussion regarding 1Password accounts, and I'll be happy to assist.

    To start, adding multiple people to the default Owners group in your account in a team or business account is the number one action that will ensure your account continues to operate in the case of an emergency. Account owners can manage the billing, add and remove users, and access all account-level settings. Should one owner lose access to their account sign-in details, take a vacation, or get involved in something worse, the other owners will be able to keep the entire ship afloat.

    My understanding is that, with these permissions, they should be able to retrieve pretty much anyone's 1PW account in the case of sudden illness or death. Is this correct, or is there some other method(s) we should use here to invoke this sort of thing?

    In 1Password Teams and Business, every fully team member will have their very own Private vault, which only they can view and access. While other members of the Owners group will not be able to access those secure contents, they will be able to access the contents of any user-created vault in the account.

    I would highly recommend implementing the steps for creating a recovery plan for your account. The great thing is it sounds like you've already taken action to appoint multiple members to the Owners group, which is the main suggestion. The other points in the article may also help, which you can read about below:

    Implement a recovery plan for your team

    If you have any questions specific to your organization, I would highly encourage you to reach out to our Go To Market team; you can reach them via this email address: [email protected]

    They may have some additional best practices to share in this area. And if there is anything else that I can help you with, please let me know.

  • So basically, even if we have multiple owners, if critical things are in the Private vault, they're basically in jail. Question: is there a mechanism by which to prevent use of the Private vault in Teams and Business accounts? I suspect this is very widely used, even for critical things that have absolutely nothing to do with personal matters--it's just the default vault for many people.

  • ag_maxag_max

    Team Member

    There isn't currently a way to disable Private vaults completely within a team or business account. That said, this particular feature has been requested before and I'll be happy to update the appropriate entry in our internal database with your feedback.

    The Private vault is primarily intended to store individual work-related items and credentials that only that team member needs to access. If there is ever a situation where you need to review the contents of a Private vault while the user is still part of the team, we recommend an administrator directly reach out to the team member and work together. It's best when account owners and administrators clearly define the purpose of Private vaults internally within your team to ensure they're aware of how they should be used.

    ref: internal/business-roadmap#75

  • edited March 24

    There really should not be the concept of “impossible to recover” in a business setting, which this product decision effectively creates. For personal accounts, sure. But business? Hard no on that. Has to be recoverable, all of it, and through a simple procedure. I’m never going to care about an employee's Zappos login, but if they’re storing some sort of SSH key in a personal vault that can’t be recovered....possibly a big problem. I suspect there would be, at minimum, a significant percentage of businesses that would at least want to control if this should be enabled in an account for which they are paying.

  • ag_maxag_max

    Team Member
    edited March 24

    Our development team is always looking at implementing new features to improve 1Password, so I appreciate you taking the time to share your helpful feedback in this particular area.

    Going forward, I would highly encourage you to reach out to our team via email to discuss the idea of recovering data within other team members' Private vaults more in-depth. That way you will be able to share more information about your organization’s unique use case and requirements and discuss what you'd like in a potential feature. [email protected]

  • I just want to note that one can change the default vault to store data.
    This is very likely something you want to configure each person in your business to not point to their personal vaults by default, but instead use a commonly shared vault.

    As an example, in the 1Password X Chrome extension, you can open the Options dialog and in section General you should change Save new items to [VAULT].

    This will not prevent them to store something in their personal vault, but at least they don't do this accidentally anymore.
    Note, you need to update this on every installation: Chrome extension, Mac App, Windows App, ...

  • ag_maxag_max

    Team Member

    @lszrh,

    Appreciate you sharing that helpful tip. Indeed, setting the default vault for saving to something other than the Private vault can also help prevent unwanted saving there. :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file