1Password ICE feature (In Case of Emergency) - what in case of the owners death, incapacitation
As we are changing, and our live is becoming more and more digital, we also should pay more attention to the end of that digital life (I know, it sounds horrible, unsettling or just not nice... but so is writing a will, no?)
So I've been thinking of this for a while now, and other services are also paying more and more attention to it (Google for example is making adding more features to this end).
So below is my proposed process for handling a 1password vault/account in case of the owners death, long term or permanently incapacitated.
(Disclosure, I'm using 1Password for Teams, so I in my explanation, may rely on features available in that version)
Although the easy way is to trust someone with you security code and master-password, (or even a vertically cut paper version of the emergency kit like I read on the forums here) there are a number of situations where this is far from ideal.
For example :
- when you change your mind about your ICE or Trusted contact(s)
- prevent (accidental) leaking of that exact information (maybe your family is not as careful as yourself with sensitive information)
- loss of the paper (you would have to count on the fact that your trusted contacts carefully keep the paper safe somewhere)
- avoid single point of failure
- optionally : enforce "the-two-person" control mechanism (for those who have really sensitive information, or are just paranoid)
Before I start, some terms :
- OWNER = the owner of the 1Password account with his own set of creds (security code and master password)
- TRUSTED CONTACT(S) or TC or ICE contacts = the one or two trusted contacts of the OWNER
- 1P = 1Password
- ICE process = the process where the content of the vaults would be handed over to the TC
- SELECTED VAULTS = these vaults which are part of the ICE process
So I would propose the following process/features
1) Every 1Password user would be allowed to add 1 "Trusted Contact" (or 2, in case you want to offer the 2 person control mechanism)
(I'm basing this based on a feature in 1P for business that you invite a "guest" )
- the OWNER specifies the one or two TC with : name, mail address, phone number, ID (national ID or passport or .....)
- the OWNER specifies which SELECTED VAULTS should be shared in the event of
(I can understand, there are certain passwords which don't have to be shared, whether it is for personal reasons, to avoid embarrassment, security reasons etc....)
a. If this user is not yet a 1password customer:
- that person would be able to create their own credentials (so their personal security code and master password)
- logon to the website and install the app
- but as a non-paying customer, they would have a default vault and/or not be able to create vaults (who knows, 1P may get additional customers this way)
- this user then would be linked as TC to the OWNER (so this would be a new relationship in the 1Password ecosystem I guess)
b. If this user already has 1password account (in the same region! lets keep GDPR in mind....) :
- that person already have their own credentials (so their personal security code and master password)
and they continue to use their 1password as usual
(now here of course are some additional challenges :.... what if you are using the 1P for business, and your TC is using an individual account
.... this is where the experts from 1P probably can comment
)this user then would be linked as TC to the OWNER (so this would be a new relationship in the 1Password ecosystem I guess)
_c. the TC would be notified that he/she has become a TC for the OWNER, with an explanation of what it means, what to expect and instructions _
2) Regular control mechanism, let's call it "keep-alive"
(I'm assuming that most people who are serious about using a password manager, use it almost daily, if not weekly)
- the OWNER will specify the trigger (XX) and delay (YY) times
- Every XX weeks, 1P would send a keep-alive request to the owner, in the most secure way (by that I mean, not just a link via mail, but maybe a button in the app, or in the OWNER's profile)
- the OWNER should press the "keep-alive button" within YY hours,
- if not pressed within YY hours, 2 more reminders with the same delay are sent
- if the owner has not pressed the button after that last time, the "ICE process" process would start (see further below)
3) Triggered by the TC
- if the TC (or one of the 2 TC) has become ware of the OWNER to be incapacitated or deceased
- the TC can trigger the "request to start HANDOVER"
- as a safety measure, first, 1P would send a keep-alive request to the owner, in the most secure way (by that I mean, not just a link via mail, but maybe a button in the app, or in the OWNER's profile) to make sure, the OWNER is indeed incapacitated (with the same delay of YY)
- IF there is a second TC (part of the two-person-control mechanism) a similar confirmation request is sent to the second TC
- If the OWNER has NOT responded in YY hours, and (in the case of a second TC) the second TC has CONFIRMED the incapacity, the "ICE process" process would start (see further below)
4) ICE process
The below is based on assumptions around : the travel feature (ability to automatically enable/disable vaults in an account) and the sharing option of a vault (in 1P for teams or Family with guest accounts)
- once all parameters combined confirm the incapacity of the OWNER, the 1P system would share the SELECTED VAULTS with the TC or both TCs
- the account of the OWNER would then be locked for further changes
And then as far as I understand the encryption of 1P
- the TC would then be allowed to create their own vault, encrypted with their own master-password,
- and copy or move the data from the shared vault to their own vault
I'm sure there are still a few caveats or gaps with the above process like,
- some commercial aspects around account levels and subscriptions for the TC's
- when to remove the owners account permanently
- assuming the vaults are encrypted with the master password of the owner, the owners account cannot be deleted until the TC has copied or moved the data in one in their own vault?
- so if the TC was a non-paying customer, they should be granted some temporary subscription, or the remaining term of the OWNER's subscription (this again would be a commercial challenge to solve for 1P)
- ....
but this was just a quick write-up (working on a flowchart for the above). The idea was to come up with a process which :
- maintains the basic policy : "do not share your master password with anyone"
- avoids accidental leaking of sensitive information
- ensure some security layers to prevent accidental sharing of vaults, and confirmation/validation
- does not rely on paper
- does not rely on having to share the master-password
So what does the community think?
(and for 1Password : as I'm a consultant .... I'm happy to consult with you on this .... professionally :-) )
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
Hi @OLCE:
Thanks for bringing this up. Digital inheritance is an interesting challenge we'd like to come up with a solution for, but right now your best bet would be to store a copy of your Emergency Kit with your account password written on it in a safe place, where you keep other end of life documents. It's important to note that 1Password has no way to decrypt your data, so it wouldn't be possible to directly share your vault with your trusted contact.
We'd like to implement it in 1Password but we want to make sure we do it right, which when comes to something like sharing the keys to your most sensitive data in a way that is both reliable in the event of your death or incapacitation and not subject to tampering/easy to hack/phish under normal circumstances, while also not being overly complicated to use, is not as easy as it might seem.
What a colleague of mine has discussed is creating a separate executor account in his family account, and sharing specific end of life vaults with that executor account. Storing the Emergency Kit for that executor account ensures that whoever gains access to it won't have all of the items, just the ones you've explicitly chosen to share with them.
Jack
0 -
It's important to note that 1Password has no way to decrypt your data, so it wouldn't be possible to directly share your vault with your trusted contact.
True, but based on the feature where an owner can share a vault with another member account (like in the Family, Teams or Business product) 1P also does not decrypt the data right? However, the vault(s) is(are) (pre-)shared with the member (1P account/user) nonetheless, and the member can access the data in the shared vault, correct?
So I was also assuming of the TC requiring a 1Password account (with their own credentials) of course.Ok, let me clarify a bit more : "pre-shared" would mean that the owner already did the sharing, or gave the sharing permission, but the vault would not yet be visible for the TC, until the ICE process
I was using that principle as basis for my idea
0 -
Hi @OLCE:
Thanks for your additional feedback. We're continuing to investigate ways of handling this, but as I touched on previously, currently your best bet is an Emergency Kit of either your account, or an account with access to a subset of data you'd like to share in the event of your incapacitation.
Jack
0