To protect your privacy: email us with billing or account questions instead of posting here.

Feature Request: Emergency access for estate planning

NicholasA
NicholasA
Community Member
edited December 2023 in Memberships

I suspect that I am not alone in having recently migrated from LastPass to 1Password - and on the whole it has been a positive experience. But one feature of LastPass that I miss is the possibility of designating someone (or some people) as successors in the event of my death/incapacity. The LastPass feature allows the nominated successor to trigger access to my (former account) - but there is notification to me - and then a waiting period before access to my account is unlocked (and some more notifications). It is something I do worry about, as I have the keys to the universe for various family accounts, and there needs to be a way for my attorneys or executors to access these in the event of incapacity or death.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

«134

Comments

  • Tertius3
    Tertius3
    Community Member

    Currently, there is no digital legacy feature. You can print your emergency kit, add master password and mfa QR code, and give this to your attorneys and executors, so they can hand it over to whoever is designated in your will in case of death.

  • Dave_1P
    edited January 2023

    Hello @NicholasA! 👋

    @Tertius3 is correct (thank you for responding!) that the best option at the moment is to download and print your Emergency Kit, write your account password on the Emergency Kit, and then store it somewhere secure where your family members or executors will be able to access it in case of an emergency.

    That being said, our product team is looking into estate planning for 1Password and I've forwarded your feedback to them so that they're aware of how important a feature you would find this.

    Let me know if you have any questions. 🙂

    -Dave

    ref: PB-30552092

  • dkuldell
    dkuldell
    Community Member
    edited December 2023

    I like many others am in the process of ditching LastPass due to their recent security breach(es), and am currently evaluating password managers. I see there has been a lot of discussion in this forum over the last few years about a lastpass-like emergency access feature, yet still there does not appear to be a feature like this available in the software. Many of your competitors have this feature and there is clearly strong demand from 1Password users. I view this as a critical feature. What is the hold-up?


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Browser:_ Not Provided
    Referrer: forum-search:emergency

  • Hey there @dkuldell

    The important balance in designing any new account feature is between security and convenience. Wherever there's uncertainty about this, we'll lean towards security every time. As an example, the Secret Key is an extra thing customers need to learn about and use, but the security benefits outweigh any inconvenience.

    Emergency access (also called digital estate planning, inactive account management, and so on) is a difficult problem to solve, to say the least. In particular, how could 1Password ever give a nominated person a "spare key" to your account if we don't have the keys in the first place?

    To help understand this problem, it's important to distinguish between authentication and encryption.

    Authentication proves that you are who you say you are and nothing more. This is what happens when you sign in to most websites: your combination of username and password proves to the website that you're a user in their directory and you're granted access, but it doesn't decrypt anything – all of the stuff being kept on that website in your name is almost certainly in plaintext. For example, some nefarious and determined employee at an online retailer could view your purchase history and shopping cart, and so on, since that won't be encrypted with keys that only you have.

    Encryption means that access is enforced by mathematics, not just you being "on the list", and this is how 1Password works. When you provide your account details (your email address, Secret Key, and account password), you aren't proving that you are who you say you are – you're actually decrypting the data into something meaningful.

    We (much) prefer to control access to things with encryption, rather than authentication.

    1Password never has any of the keys to decrypt your 1Password data. As such, it would take a significant re-engineering effort, and a radical rewrite of the security model, to offer any sort of digital legacy options for 1Password accounts. Plus, we want to make sure we do it in a way that is thoughtful and easy to use for those who set it up for themselves, or who might need to call on it one day, without it being something that could be abused to break into someone's account.

    As an example, even when we look at Apple, who do offer a digital legacy option, there's a similar limitation – the inheritor can only access information that isn't end-to-end encrypted. That means that passwords, credit cards, and other information stored in iCloud Keychain would still be inaccessible because Apple don't hold keys for that data, in much the same way as we don't for your 1Password data.

    This is one reason we encourage all customers to keep a copy of their Emergency Kit somewhere safe, with their account password written on it, so that it can be used by a trusted person if and when necessary. For most customers, storing it at home in a safe place is enough – with your passport, financial documents, etc. Taking that a step further, your Emergency Kit could be stored in an access-controlled place, such as a family safe, a safe-deposit box, or lodged with a legal professional, instructed only to release it upon presentation of a death certificate, or if a specified number of that person's nominated contacts come forward to request it (in the event that the person is incapacitated but hasn't passed away).

    To be clear, we're not saying "no" to the idea. There is work going on to see how this might be achieved in a secure way. 1Password is built differently to other password managers, and neither we, nor our customers, want to introduce a weak point in our security model. As we've seen recently, a breach of a password manager (even it had only been one affected user) is disastrous. Our customers trust us with their data, and we earn and keep that trust by hardening our security model against attacks. Although it's unlikely that a digital legacy option would ever be used maliciously, it's not impossible, so we have to plan for the worst case scenario.

    Hope that outlines where we're up to with that feature for the time being. As I say, it is being discussed and worked on, but we don't have anything to announce about it just yet. I'll be happy to answer any questions you might have. :)

    — Grey

  • dkuldell
    dkuldell
    Community Member

    Thanks for the detailed explanation of the intricacies of authentication and encryption. I get it, it's hard and complicated. Many folks emergency contacts (often family) live nowhere near each other. Thus making it infeasible...or at least extremely difficult...to get access to the secure physical storage for my secret key/password. Also there is the danger that the secure/physical storage could be destroyed by fire or be otherwise inaccessible. Putting they secret key/password in a safe deposit box just exacerbates the problem. And heaven forbid we forget to store an updated copy of the secret key if/when we change the master password. Emergency access that **solely ** relies on access to a physical copy of the secret key/password just does not work for me...and I suspect many of your customers would agree. There has to be another way. I guess the frustration is that you say "it is being discussed and worked on", and this has been the answer for **years ** now...yet nothing has come of it. Very frustrating. I would rather you just say "not happening" or give a target timeframe for releasing this competitive feature.

  • benlye
    benlye
    Community Member

    I'm in the process of coming over from LastPass and have the exact same question/concern. I'm disappointed that this feature isn't available, yet has been talked about for several years.

    I get that we can have multiple family organizers, and they can recover accounts, but there is a fundamental problem with the workflow as described - the recovery process sends an email to the person whose account is being recovered. What if they can't sign into their email because their email password is stored in 1Password? Is there any other way to get the recovery link?

  • shhh
    shhh
    Community Member
    edited February 2023

    Regarding the emergency dead man's switch access feature LastPass provides, I have seen several discussions on this community forum requesting this feature.

    I also came across this thread which confirms that LastPass has implemented a secure, zero-knowledge model to implement this feature without knowledge of customer data, similar to the 1Password sharing model. LastPass has certainly been discredited over the past 3 months, rightly so, due to the security breach and their poor communication around it but frankly this emergency access feature is very nicely implemented. I am disappointed that 1Password has not yet added this feature after several years of customers' asking for it.


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Browser:_ Not Provided

  • Hello @shhh! 👋

    This has been on my mind as well as I get older and start to consider how to guarantee that my loved ones have access to important information in case of emergency.

    Estate planning is mentioned as something that the team is looking into on our futures page: A vision of the future with 1Password

    For the moment, the best option is to download and save your Emergency Kit. You can print out the Emergency Kit and write down your account password. Then you can store the Emergency Kit in a personal safe or safe deposit box. Using the Emergency Kit your family or lawyer will be able to access your 1Password account.

    Alternatively, if you're using 1Password Families, you can create a separate family member or guest account and only share the items that you'd like your attorney or loved ones to have access to in case of emergency.

    All that being said, I've passed along your request for a secure, zero-knowledge, emergency access feature to our product team. Thank you for the feedback! 🙂

    -Dave

    ref: PB-31016690

  • shhh
    shhh
    Community Member

    For the moment, the best option is to download and save your Emergency Kit. You can print out the Emergency Kit and write down your account password.

    @Dave_1P my account uses 2FA. How would I share this with my family or lawyer?

  • @shhh

    You can print out the the QR code that contains your 2FA TOTP secret and store that along with your Emergency Kit. Using that QR code your family or lawyer would be able to generate the one-time password for your account.

    Another option would be to add something like a YubiKey security key as an additional factor to your 1Password account and keep that with the Emergency Kit. 🙂

    -Dave

  • tkardos
    tkardos
    Community Member

    Hi @Dave_1P , I read my QR code from the Emergency Kit, but it didn't contain 2FA TOTP secret. Can you please advise what did I miss? Thanks.

  • @tkardos

    Your Emergency Kit includes the following information:

    • Your Secret Key
    • Your sign-in address
    • Your email address
    • Your account password (if you choose to write it down on the Emergency Kit)

    If you enable two-factor authentication for your 1Password account then the TOTP secret is stored in your authenticator app (the app that generates your one-time password). If you'd like to make a backup copy of the TOTP secret then you'll need to take a screenshot of the QR code that you see when first enabling two-factor authentication and save that separately from the Emergency Kit. If you've already enabled two-factor authentication and you didn't save the QR code representing the TOTP secret then you can disable two-factor authentication for your 1Password account, remove the one-time password from your authenticator app, and then setup two-factor authentication again so that you have a chance to screenshot and save the QR code: Turn on two-factor authentication for your 1Password account

    I hope that helps! 🙂

    -Dave

  • arip
    arip
    Community Member

    If you lose access to 2FA entirely, is Support able to reset it? I'm wondering if the TOTP secret printout is necessary or if it can be reset given enough proof of identity/attorney.

  • @arip

    In some cases, our security team can put someone through a series of verification questions in order to temporarily disable two-factor authentication. However, passing our security team's requirements would require:

    • That someone be able to answer an exact number of the verification questions correctly.
    • That the same person has access to the email address associated with the 1Password account in question.

    If you've enabled two-factor authentication for your 1Password account, and if your goal is to give your loved ones or your attorney access to your account in an emergency, then you should save a copy of the 2FA TOTP secret with your Emergency Kit.

    -Dave

  • crua9
    crua9
    Community Member

    @Dave_1P

    I think one of the things that could be overlooked by pushing people to use lawyers is not everyone can afford one or have access to them. Plus things can happen.

    It might sound odd, but what if war breaks out and your lawyer and their office gets wiped out. Same with a major storm or many other events to include fire.

    My point is, having options isn't a bad thing.

    How I think it could work is the normal, user select how long the dead man switch should last. An authorized user (like a family member in the group) triggers it. You get a notification and if you don't stop it within a given time you set. Then it will give them access which you can still revoke later if you want.

    The backend maybe could use hidden vaults users can't see or interact with. Basically, this hidden thing lets the user get access to your account if the dead man's switch goes through the entire process. If the UI is developed right, then a user shouldn't have to logout to get to your account. It might be smart to allow users to merge your passwords to their vault.

    I don't know what the code is like on the backend, but I highly recommend looking into smart contracts in the blockchain/crypto world. The idea of smart contracts is to have a trustless system (where you don't need to trust me and I don't need to trust you for the system to work. It's impossible to break the contract for the most part.). Like a smart contract in the blockchain world, something in the hidden vault could act the same.

  • ag_tommy
    edited March 2023

    Thanks @crua9

    I've shared your thoughts with the team.

    ref: PB-31420704

  • VT1P
    VT1P
    Community Member

    My problem with the Emergency Kit is that we don't want our adult children to know the details of our finances unless we die or get severely injured, or we get older and need our children's help to manage our finances.

    If we tell them our Emergency Kit is stored in our safe, and also tell them where the key is hidden so they can come to our house and get the Kit if needed, they will also be able to access the Kit if we let them stay in our house while we are away. We trust them, but easy access can be a temptation. I have a separate Bitwarden account just so I can use Bitwarden's zero knowledge Emergency Access feature. I wish 1P.com would offer one too, so I could stop relying on my Bitwarden account.

  • Tertius3
    Tertius3
    Community Member
    edited March 2023

    @VT1P I'm not sure how good the trust between you and your children is, but I can tell something from the children's point of view. My parents are in the process of getting old (82+85). My father got me equal access to all of their money accounts (bank and stocks) a few years ago on his own initiative (I was surprised). We are trusting each other fully. He said "just in case, nobody knows what will happen in the future", however I never even looked into them, because they are not my own.

    I saved all the credentials I got from the bank, including the authenticator, in a safe place, but my plan on an emergency is to pay anything needed for my parents out of my own purse, because this is available immediately, and later if things have settled to either ask them to pay me back or if they should pass away in the meantime, I get it back with the heritage. The situation is somewhat easy, because I am the only child, so whatever happens and whatever they wrote in their will, I will get at least a default share by law that will probably cover any expenses.

    Even with this, it's not clear if my money is enough for everything. And there are also stocks included in their accounts. If it the market demands, I would be in a position to sell things to avoid losses. Having no access would take away any possibility to act on behalf on my parents if they are not able to act, especially at the most crucial time: when the thing happens. Later, things can be arranged in due time, but when the thing happens, I would be limited.

    Now comes the trust part: if you trust your child to act benevolently and with good results on your behalf, give them access. If you don't trust them enough, or if you fear they will do the wrong thing (by accident or because they usually do things not the way you do), don't give them immediate access.

    There are also many small details, often overlooked. It may be necessary to cancel or change subscriptions on behalf of my parents, if they cannot use them any more or cannot change them of their own any more. In this case, access to their online accounts is important and allows immediate action. Without this, a child can only indirectly try to change their parent's subscriptions, which can be very tedious, lengthy, and might involve presenting death certificates or whatever medical certificates.

  • VT1P
    VT1P
    Community Member
    edited March 2023

    Tertius3,

    Thank you, I do appreciate your comment. We trust our adult children, but we prefer not to tell them the details of our finances at this time. We have named one of our children as our POA and our executor. We plan to share all of our financial details with that child if we need assistance with our finances when we get older. As I noted, we think telling our how children how they can easily access our Emergency Kit, if they are in our house while we are away, would be a temptation to "just take a peek".

  • Tertius3
    Tertius3
    Community Member

    @VT1P You can tell them: "Please don't look at this now. It's for later.", however it is still of course a matter of trust.

    As far as I remember, "trust" is what prevents 1Password offering a legacy feature so far. They want a technical solution that isn't dependent on trust.

    Currently, it's required to trust Bitwarden to release emergency access only after the timeout. Nobody can prevent a malevolent Bitwarden employee or some software bug to release it immediately.
    And you have to give Bitwarden the cryptographic key to decrypt your vault, so it can be decrypted by the grantee. This key will be encrypted, otherwise it would violate the "zero knowledge" paradigm, however it needs to be encrypted by some public key of the grantee so he is able to decrypt it when he is finally granted access. But again trust is required: you have to trust Bitwarden to keep this encrypted key safe and not release it to the grantee on its own. That's a possible security leak: one can hack Bitwarden, steal these encrypted legacy keys and make them public. They will be of no use to anyone except all the grantees, because they will (must) be able to decrypt them.

  • shhh
    shhh
    Community Member

    @Tertius3 the possibility of disgruntled employees and software defects don't imply that you need to trust some software. Independent software security audits can verify that the legacy access feature functions as advertised and disclose the keys to the right audience at the right time.

  • Tertius3
    Tertius3
    Community Member
    edited March 2023

    I guess 1Password doesn't want to take the responsibility and the requirement you trust in them. I'm a technical person and understand much of technical constraints around end-to-end encryption within a group of people, and as far as I see, there is no way around some kind of trust. Someone/something has to make a decision: enable legacy access or deny legacy access. In the physical world, there is some authority declaring death; a notary executing the will. Based on the death (corpse or long time vanishing) of a person. Currently, there is no equivalent to this in the digital world.

    Mega companies like Apple or Facebook struggle with this: they try to let the account of a diseased person die as well. They do not even give full access to heirs in a way a heir gets access to the physical property of a diseased. You need to sue them for access, but it's not in their established process. I guess it's because there is no automated foolproof way to actually prove someone is dead without manual processing, and they don't want to create an (expensive) department dealing with this, since without in depth (and expensive) manual processing it can be misused to cheat your way into the inheritance. The companies try to talk their way out of that by saying the data is so personal, it cannot even be given to heirs. Actually, I guess it's simply too expensive and the risk to get sued on errors is high.

    In the end, it's also about responsibility. If a legacy feature is implemented in 1Password, I would like to see a mechanism to give some instance of my choice the responsibility to decide to release emergency access. Not hardcoded 1Password, but some independent 3rd party of my choice: not my heir himself, but also not 1Password. If done right, it should also work if 1Password ceases operation just at the same time legacy access is asked and should be enabled. And this is already possible by depositing secret key+password+mfa QR code at my attorney, who is this trusted 3rd party. If I don't have such an attorney, I could deposit it in some bank deposit. If I don't have a bank deposit, this is currently not possible in a digital way.

  • shhh
    shhh
    Community Member

    All good points. But password managers are held to a higher bar than social media and communication services. Unlike those services, password managers are expected to implement legacy access in a zero knowledge fashion.

    https://support.lastpass.com/help/how-is-emergency-access-secure

    LastPass and BitWarden seem to have solved this problem using PKI so without requiring us to trust anyone. 1Password should do the same.

  • VT1P
    VT1P
    Community Member

    I am not a technical person, but if you read Bitwarden's Emergency Access details it does appear they think they are preserving zero-knowledge. Also, another benefit of their Emergency Access feature, besides not being physically accessible like the Emergency Kit if our children stay in our house while we are away, is that if they do need access because we have died or become severely injured on vacation, they can gain access through Bitwarden without traveling to our house, which is a distance from where they live.

  • Tertius3
    Tertius3
    Community Member
    edited March 2023

    Thanks for linking that Lastpass article. If you read it thoroughly, they speak of this: "LastPass stores that RSA-2048 encrypted data until it's released (after the waiting period you specify)." This release is what I was speaking of. You need to trust Lastpass to release the data in time. Not earlier, not later, and not to leak it to the public. Given all the known leaks of Lastpass in the past, there is not a reason to trust them in this part.

  • shhh
    shhh
    Community Member

    This is where the email comes into play. Before releasing the key, an negative consent email is sent to you to authorize such release. If you are dead, the email will go unanswered and the release will happen, as per your wishes. If you are alive and somehow unable to respond to the email, another email will be sent after the release and/or the data has been accessed so you know and can follow up when you return to civilization.

    In any case, even if it is released or leaked or otherwise made public, it can only be decrypted by the intended recipient with the appropriate private key. I guess we have come full circle. Zero knowledge legacy access to a designated party does require trust in the service provider bug free software and integrity from the designated party to refrain from peeking.

    The important part is to keep all parties informed. The temptation to peek will be reduced significantly if I know that an email will be sent as soon as I peek when the owner is still alive.

  • The important part is to keep all parties informed. The temptation to peek will be reduced significantly if I know that an email will be sent as soon as I peek when the owner is still alive.

    That is an existing feature. Signing in from a new device triggers an email. You can see this in action by opening your browser in incognito / private browsing mode and then sign in at https://start.1password.com/

    If someone else uses your Emergency Kit to access your account, you'll get an email about it.

    Ben

  • shhh
    shhh
    Community Member
    edited March 2023

    @Ben Good point. This brings to mind a popular feature request made on Reddit about naming trusted devices.

  • VT1P
    VT1P
    Community Member

    shhh wrote: The temptation to peek will be reduced significantly if I know that an email will be sent as soon as I peek .....

    I understand an email will be sent if our adult children "peek" using our 1Password Emergency Kit. However, they cannot peek at all when I use Bitwarden's Emergency Access feature.

    I have designated our children, and they have received emails from Bitwarden advising them they have been designated. But they cannot peek. All they can do is tell Bitwarden they would like to activate their designated access to my account. Bitwarden will then send me an email asking if I want to give them access. If do not respond with a "No" within 48 hours, Bitwarden will give them access. If I am dead, I will not respond. If I am in a hospital in Europe and I want them to be able to access my finances, I will respond with a "Yes".

  • MrC
    MrC
    Volunteer Moderator

    Not if you are in a coma in Europe.