New "Share with anyone" feature
Hello,
While I think the new sharing feature can be pretty useful, as an admin in a corporate context, I am sweating in nightmares. Your blog article says that we are in full control, but the only control we have is to look at who shared what. That's not full control.
We need to be able to control it in a way that allows us to disable that feature. If we can't prevent our employees from sharing passwords outside the company - with anyone - that's a security breach disaster waiting to happen.
How did you guys not think about this before you released this? Or am I missing something?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
Hi, @cryptochrome.
We've talked about this a bit here, and we're interested in bringing additional controls to administrators beyond viewing share activity and deleting shares (you can delete a share from the Activity Log). That said, your team members can already copy and paste passwords out of 1Password into Slack, emails, and text messages, so we're aiming to give them a way to do that with a bit more security cushion (automatically expiring the link and optionally restricting the recipient list). I'd love to hear more about your case, though. Is there another aspect we haven't considered?
Note that at the vault level, you can remove the "Copy and Share Items" permission in a business account or "Export" permission in a team or family account if you want to prevent sharing items in a given vault.
0 -
Hi @rob - Just for me to understand (and sorry if I jumped to any conclusions), if I remove the "export" and/or "send items" permissions it will disable the new share feature?
The problem I have with this is not that it is more secure than pasting something into a chat. The problem is that the sheer existance of the feature can encourage people to use it. As in "oh look, there is a share feature available to me now, I guess that means I am now allowed to share the password to our firewall". I am exaggerating deliberately to make the point.
Without the feature, I can prevent people from pasting something into a chat if I disable the "view and copy passwords" permission. They can still login to sites/apps, but they can't see and copy the password.
0 -
Just for me to understand (and sorry if I jumped to any conclusions), if I remove the "export" and/or "send items" permissions it will disable the new share feature?
Yep 👍
Without the feature, I can prevent people from pasting something into a chat if I disable the "view and copy passwords" permission.
Disabling "view and copy passwords" will also disable the sharing feature. 👍
0 -
The problem is that the sheer existance of the feature can encourage people to use it.
That makes sense.
0 -
Thank you!
0 -
No problem :)
0 -
I will add that apart from being able to disable the feature for all users, we would very much welcome:
- a heads up for business users that feature is being implemented because it's a significant change for Security teams (at least a week in advance would be really appreciated)
- ability to customise sharing settings to ie. only allow up to 7 days and disable sharing with link to enforce certain best practices.
Is this something that can be considered?
0 -
it's a significant change for Security teams
I think this is where we disagree. We took great care to ensure that the feature was not enabled for anyone who could not already copy and paste passwords anywhere they wanted. For things where we do believe we're making a significant change to our security model, we would almost certainly be letting customers know ahead of time, yes.
ability to customise sharing settings
Yes, we're interested in implementing additional administrator controls.
0