Break the glass accounts
dear team,
we have passwords that should not be used ever ever (just in emergencies). a feature would be nice if someone accesss such passwords then all that have access are informed.
c
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
Hey @Christian_XYZR,
Thanks for asking about This. It's not something 1Password currently offers, but I'll share your feedback with the team for their consideration. Thank you for contributing to 1Password’s evolution.
Let me know if you have any additional information or comments regarding your use case.
ref: IDEA-I-1999
0 -
Add me as a +1 to this.
0 -
Done!
ref: IDEA-I-1999
0 -
+1 here as well
0 -
Another +1 here.
0 -
Consider it done, @ryansteele.
0 -
+1
0 -
+1
0 -
All set, @oekdbzlq82.
0 -
+1
0 -
We have the same need. We solved it by setting rules on the accounts themselves so there is an alert when used. Not simply when it's accessed in 1Password. Another thing we did was move such break fix accounts to a unique vault and set permissions so they can't be seen under normal conditions except by a few primary engineers or company leadership. We've found it's also important to educate your users about what these accounts are and why they should never use them.
0 -
+1 here too please
0 -
Hello @brandonh85, I'll add your voice to this request. Thank you.
I did want to mention two possible ways that everyone may be able to implement a "break the glass" style account with the tools 1Password currently offers.
- First, the 1Password Events Reporting API integrates with several SIEMs which can alert when specific items are viewed. This could help to implement alerts when sensitive items are accessed, without any need for a separate account to be created. To reduce false alarms, consider placing the item in a vault with limited membership, and possibly restricting which devices can that vault.
- Second, 1Password does send an email when an account logs into a new device, so consider creating an additional team member and storing data in it's private vault. Share the credentials with those who need access, and any time they sign in, an email will be sent out about their new device. Doing this would likely require that the email address be shared with multiple people, so everyone can see the email alerts.
I hope this information helps. Be sure to let me know if you have any further questions!
Thank you,
0 -
So I wrote an entire comment and then it deleted it for me. :/
Anyway here’s what I think I wrote:
Thank you for taking the time to provide a workaround. That may work in the interim.
I think what maybe easy is something like a break glass style vault, if any item in this vault is accessed, copied, pasted, changed, even a smug eye, send an email to all accounts with what happened to the email accounts associated to all accounts that have access to that vault. There maybe different ways some others need this to work due to an audit compliance, but for us, I think this is the simplest way to make it work. I also feel like this isn’t super complicated to add to the product. Just basically an audit trail that generates emails when an action takes place, simple and I think some of the functionality probably exists today to build on for this.
0 -
Thanks for the feedback, @brandonh85. The exact functionality you mentioned isn't something 1Password currently offers, but it would be possible to build that with the Events Reporting API I mentioned above. If you'd like to do that, let me know and I can connect you with our integrations specialists to answer any questions you have about the Events API.
Thank you,
0
