Why does removing a member from family plan delete their data?

bc8465
bc8465
Community Member

Hello, I'm coming over from LastPass and considering either 1Password or Bitwarden.

I saw on the support documentation that when the Family Organizer removes a family member, they immediately lose access to their private vault and can no longer log in. I read the recommendation that one should only use a 1Password Family Plan with people you trust, but even so this seems totally unreasonable to me and is the single biggest problem I see with the 1Password Family Plan.

For Business plans, it makes perfect sense that the Business owner can remotely remove access to your vault. But in the context of a family, there is no situation where the ability to revoke a members access to their own data makes any sense (even with 100% trust amongst family members). People use password managers to store credentials to bank accounts, utilities, rent payment sites, DMV, IRS / tax payment sites, employer paystubs, school portals, etc. The consequence of losing access to data stored in a password manager is very high.

Potential bad scenarios:

  • A family organizer could delete the family account, not realizing that members are still using 1Password. (this happened and is described here on Twitter)
  • In an abusive relationship, an abuser would have control to cut off a family members access to their vault.

How I wish removing family members worked:

  • Removing a user from the Family Plan should transition that individuals account to a "Frozen" status as an individual account.
  • When an account becomes frozen the user is still able to access their own data. They have the option to add billing info and start a new subscription.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • Tertius3
    Tertius3
    Community Member
    edited January 2023

    What you said was mentioned in the forum at least 1 or two years before, and it was acknowledged by 1Password that this situation is not optimal. It was explained that it is the consequence of the family plan being in fact kind of a rebranded team plan and inherits its design without much custom redesign. And in the team plan, you don't lose trust in the administrator, since it's all within the company. It's more the other way round: you might lose trust in the user and his access to company passwords has to be revoked.

    Detaching a removed family member's account instead of deleting, then converting it into a frozen standalone account was suggested before, however until now nothing has been released in this regard.

    I guess it's not trivial to implement, since if you do this, all the encryption within the converted account vaults needs to be re-encrypted with new keys that are completely independent from the family account. Since the account password and secret key isn't known by the server, but have to be available for re-encryption, it cannot be done at the time the administrator removes the member. Instead, converting has to be done when the member logs in the next time. All this is probably very difficult to work out.

This discussion has been closed.