Feature request: Legacy Vault / access upon death
It would be really cool if 1Password offered the ability to give someone access to my vault(s) upon death. There are Legacy Vault products out there, but I trust 1Password and don't want to bother with another product.
My suggestion would be a variant on the team recovery feature, whereby someone else can have a different key that unlocks the key to my vaults but with some server-side logic to restrict access. I realize that cryptographically this means giving my trusted person indirect access to my data, but I don't think my relatives will be hacking into your servers anytime soon lol. The server side logic could be, for instance, sending me an email with 48 hours to deny the request. The temporary solution would be to give someone my Emergency Kit, but that allows unfettered access to anyone who stumbles on the paper and I may not even notice, which makes me nervous. As a bonus, 1Password could facilitate documenting useful information. There are Legacy Binder templates out there with places to fill in info about financials, bills, insurances, pets etc.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
a way to do this could be: a key that gets self-activated and usable after a person does not log into his/her account after one or two months. The person in question that the key is meant for would also need to be digitally informed this could be done through email.
0 -
I had the same core idea, but different implementation possibility. For example, if threshold based cryptography would be used, you could distribute e.g. 5 different keys to 5 people. In this example, my Family would have 5 other members, all of which would store these keys in their personal vaults. My threshold would be 3. Therefore, any 3 people combined could get my master key. Hence, if I say myself and 1 other would die in a car crash, the rest of my family could combine their keys to get to e.g. access systems around my home.
0 -
This is a valid and good request that is increasingly more important. Duplicating the approach used by Google's Inactive Account Manager would make very much sense to me. No need to re-invent the wheel, as they have thought hard about
- how to determine whether your account is really inactive (time thresholds, etc)
- how to get hold of you to verify that you are not just offline for mental retreat
- restore addresses
- who to contact in case an account is found to be inactive and what those persons should get access to
For instance, in case I die, I would like my family to get access to
- all financial details
- email logins and associated 2FAs
But not access to some of my secret notes and private journal.
So determining a simple way of choosing what (not) to share is a key feature.
0 -
Hi folks:
Thanks for bringing this up. It's definitely something we're exploring. More than anything, our goal is to make it cryptographically secure for us to be happy about putting it into the world, not just protected by access controls. We do offer the ability for family organizers in a 1Password family account to recover their family members, and similarly administrators in our enterprise offerings, but both cryptographically and using access controls, the person who controls the account remains in the loop and more importantly, the 1Password server never has enough information to decrypt any data.
With all that said, it becomes significantly trickier to design a system that you don't have to trust when it comes to digital legacy. It's impossible for you to be in the loop, since you're incapacitated. What other password managers tend to offer is a key escrow solution. A key to your encrypted data is then encrypted itself. This key is encrypted using the public key half of a keypair. The person you have selected as your emergency contact has the private half of the keypair in their password manager account. When this individual requests access for digital legacy reasons, you receive notifications to stop the recovery process, and if you do not stop it in time, your encrypted data key is sent to the individual, and as they have the private key, they are able to decrypt the key, and then decrypt the password data sent by the password manager as well.
The catch with this method though is when you distill it down, in the event of you being incapacitated, your data is not protected by cryptography, your data is protected by access controls. The only thing preventing the password manager service from sending your encrypted key to the emergency contact is trust. There's no cryptographic lock preventing them from doing it, it's just a promise.
If we do implement it, we want to make sure it's done with trust in cryptography, not access controls that people expect from 1Password.
Jack
ref: IDEA-I-285
0 -
That is also a very interesting solution
0 -
As the "family organizer" for my family's account - this is an issue I struggle with frequently. It's one of those "keeps me up at night" issues when I think of my family's future.
I'm extremely tech saavy - but my family is not, and in the event of my incapaciation making sure my family can access resources is very challenging. There is a whole generation of folks who, when they pass, all of their accounts are going to go "poof" because this was both not considered previously by the user and some companies (like 1Password as of now) didnt set up well defined, intuitive workflows for this.
I like 1Password alot. I came from Lastpass, and their emergency access approach I found well implemented. 1Password has yet to execute this feature, despite forum posts since 2015 requesting it - which is very frustrating.
The "Recover accounts" feature is nice - but it's not suitable for emergency access since it requires the recover-ee to still have access to their email to execute parts of the process. If a family member needs access to my 1Password account - they certainly wouldnt have access to my email (since those creds are in 1Password) - so that's a non-starter. Recovery accounts is ineffective in situations of incapacitation.
The "Guest Access" feature is nice - but it too is lacking for true emergency / legacy access. There is no time delay or revocation period - which means should someone maliciously attempt to gain access and I am still around - I cannot block them. It's just one more additional emergency kit that is floating around in the world and increasing my attack surface.
And sharing emergency kits in a will/legal storage entity is the old-school approach - but it is unwieldly - most banks dont even offer safe deposit boxes anymore, and storing in an estate/legal zone is hard to access and setup, and relies on another potentially untrusted party. It also suffers both of the issues above - around increased attack surface area and no way to time delay or revoke.
I appreciate that there are 1Password design principles here that are making implementation of this feature complicated. I get it. You want to do it in a way that you are comfortable with. But 7+ years to implements this is not because you cant find a good technical solution - it's just not a priority it seems.
But - I can tell you that easy and secure access in the event of a tragedy should be a priority for 1Password. For me, as a user, there is no greater thing my password manager can do than treat my grieving family member / executor properly in the event that they need to gain access to my account. Treating them well is treating me well.
I understand concerns about access control vs cryptography. But our data is never fully protected purely by cryptography currently. Every user that is jerry-rigging up their own legacy format through guest-user hoops, legal entities, safety deposit boxes, etc is implementing access controls. And I can guarantee you the majority of them are probably incomplete and error prone.
By 1Password punting on this feature, they're just pushing the risk onto users. You are a password manager with family accounts. Legacy planning comes with the territory. If I wanted full blown, locked down security I would use a local only vault with a hardware token (like Keepass + and Yubikey). I'm with 1Password because it makes balancing security with ease for my family easier.
End impassioned rant :D . Please get this one done.
0 -
Excellent comment! Reminds me of Quicken not having the capability for surviving family members to perform basis step-ups on the estate assets of a decedent. The folly of youth perhaps...?
0 -
Agreed. Like I'm not trying to be a pain in the a**, but the majority of 1Password users are not with 1Password for their sound cryptographic design - but their slick, intuitive interface and excellent customer support. So ease of use and accessibility is the main client driver - I'd bet less than 1% of users read 1Password's white paper on their design.
But there will be a digital reckoning in the next 10-15 years on password management during the bereavement process. 1Password I feel has a duty to customers to address it, whereas Quicken less so.
0 -
I was just working through some legacy planning, and found this thread. 1Password REALLY needs to figure this problem out. In my case, I only want a subset of vault items to be available to a legacy contact. For example, just my finance and a dozen or two other items. All other items are personal and not relevant to the executor of my estate. I appreciate from a technical perspective this is a challenge, but as others have said, this appears to be a near zero priority for 1Password. Heck, exact URL matching which is far easier from a tech perspective is only now getting attention.
0 -
Yea I don’t get it. This industry is 1Password’s race to lose at this point - but their products recently have been lackluster and it’s making others like Apple look attractive.
Something like a “Revokable, Time Lapse Vault Share” would be plenty and have uses both in legacy planning and beyond.
Pick a vault. Designate shared access members. Members can request access, and will begin a waiting period. Owner can revoke access at any time. If timer ends, members get access to vault. Owner can store emergency kit, and anything else needed, in that vault. As far as I can see - this would be straightforward and shouldn’t compromise 1Password’s design principles. The owner holds all the keys, just access is essentially in escrow - and the request isn’t executed until a later date. 1Password just builds the workflow interface.
1 -
While seeking a LastPass replacement I came across some good advice which I copied and saved. I will be doing this.
"Writing down the master password is all but essential if there’s anything important in your password database. The lawyer who did my wills (living and dead) was adamant about that. There are fun crypto system to let you distribute bits of a password around so that it’s harder for people who have other things to think about to make it work at all. Meanwhile you’re in a coma and the bailiffs are selling your house, “comes with a ready-made family for the lucky buyer”. Write the bloody thing down, put it in a safe place. My lawyer has half the password plus a list of people who each have a copy of the other half. And they have a copy of the file from ~2 years ago, and know how to get the latest one off my website(s), and that my work has a copy of it.
"Security is always a balance, and I’ve been around long enough to have seen a few too many “Bob died so his website is gone forever”, not to mention seen families wandering lost in technology wondering whether Bob really had investments at all, or were they concealing a gambling problem (trick question, it was both: they invested in cryptocurrency). If no-one knows where you invested they can’t use your death to access those funds."
0