Feature Request: Option to create separate (free) admin only accounts

YellowVista
YellowVista
Community Member
edited March 2023 in Business and Teams

I would like the option to create accounts within a 1Password subscription that are admin-only accounts and which do not require a paid license and which do not have the ability to perform most of regular 1Password functions (e.g., an account that can manage the subscription, manage security, manage people, and manage vaults, but not view vaults).

That would be similar to how some other business solutions work. For example, for our Microsoft/Office 365 subscription, we have separate admin and user accounts, but we only have to pay Microsoft for licenses for the user accounts. My regular user account that I use most of the time does not have any access to admin functions--which obviously increases security because someone who gained access to one of my devices or successfully phished me would not get access to an admin account. My admin account, which I only log into temporarily when I need to perform admin functions, does not have an Microsoft/Office 365 e-mail account or access to any of the Microsoft/Office 365 services or apps, but that account can manage all of those services.

Obviously, people could create separate admin/family organizer accounts and user accounts now, but that would require paying 1Password for two users licenses. So the request is to be able to designate particular family/team member accounts as "admin only" and, when doing so, that account would (1) not have view vault permissions, and (2) would not require a paid license.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • NTOrMsma
    NTOrMsma
    Community Member

    This request is also something I am looking for. Because the Family admin can add / delete all Family accounts, this is a security risk if one of the admin account devices gets compromised. Imagine being compromised as a Family admin, and then finding out that all Family accounts are deleted or shared with a third party. That is just not secure by design.

    For extra security the use of an admin account should be clearly advised by 1Password in my option. Paying 1 dollar more per month does not concern me as much, but I think the added security is well worth it.

  • Hello there @YellowVista and @NTOrMsma,

    Thanks for sharing your request to have separate and free 1Password administrative accounts. While I appreciate the value in having distinct accounts for this, I'd like to better understand your use cases for how these admin users will be used.

    Before I continue, I did want to mention that if you'd prefer to move this discussion to email, please send a message to [email protected] and include a link to this community discussion. Everything you share here on the community site is public and can be seen by anyone who visits, so it's best to not share any secret or confidential information. If you do prefer to work with me over email, reply here and let me know when you've sent the message.

    Currently, every 1Password account needs it's sign-in address, email address, Secret Key, and account password to sign in. Two-factor authentication can also be set up using an authenticator app or a security key. Given all of the security already protecting a 1Password account, how would you save the credentials needed to sign in as the admin user? Do you anticipate keeping this information in 1Password, or is there somewhere else that you can share? @NTOrMsma, you mentioned the risk of a family organizer's device being compromised. How would you protect the admin account or credentials to ensure that such a compromise doesn't also impact the admin user?

    Additionally, would you prefer to share a single admin user with multiple people (this could create problems for auditing who took what action), or would you want each owner/admin/family organizer to have their own admin account?

    Is there anything else you'd like to add? Once I hear back from you both, I'll share your request with our product team for their consideration.

    Thank you,

  • YellowVista
    YellowVista
    Community Member

    @ScottS1P Thanks for the offer to move the conversation to e-mail. I'm fine with keeping the conversation here for now, but if there is something confidential that I feel would be helpful to share, we can move it to e-mail.

    Given all of the security already protecting a 1Password account, how would you save the credentials needed to sign in as the admin user? Do you anticipate keeping this information in 1Password, or is there somewhere else that you can share? ... How would you protect the admin account or credentials to ensure that such a compromise doesn't also impact the admin user?

    That's a great question. I would probably:
    1. Create a 1Password Admin login item in my primary/regular 1Password account.
    2. Use an alternate e-mail address for the 1Password admin account (which could be something like setting up an e-mail alias in our e-mail system or using plus addressing with my regular e-mail address--such as, [email protected]). I would save that e-mail address as part of the 1Password Admin login item in my regular 1Password account.
    3. For the 1Password admin account, use a variation of my regular 1Password account password (which is a long, randomly generated password I have memorized through typing it multiple times a day)--such as a simple pepper scheme--and then save that pepper value in the 1Password Admin login item in my regular 1Password account (just in case I forgot it since I wouldn't be using it on a daily basis). That said, I think it would also be a perfectly reasonable security decision to use the same account password for both the regular 1Password account and the admin 1Password account--as long as that account password is not stored in the regular 1Password account vault (which I don't do).
    4. Save the Secret Key for the 1Password admin account in my regular 1Passowrd account so I could easily enter it when logging in to the admin account. (I would, of course, still maintain a secure offline recovery key for the admin account.)
    5. Setup my admin 1Password account to use hardware security keys for two-factor authentication.

    Doing it that way, whenever I needed to login to 1Password to perform admin functions, I would:
    1. Open a new incognito/private browser window.
    2. Navigate to the 1Password login page (using a bookmark or using the 1Password browser extension).
    3. Use the 1Password Admin account login item saved in my regular 1Password account, I would fill in the e-mail address and Secret Key, and I would manually type the account password.
    4. Use my hardware security key to authenticate through the two-factor authentication.

    That approach would be very convenient, because it would basically be as easy as logging in to any other website I had saved in my primary 1Password account, except I would manually type the account password (just like I do whenever I unlock my regular 1Password account). It would also be secure, because even if someone gained access to my regular 1Password account in an unlocked state (e.g., a co-worker gaining access when I stepped away from my desk for a few minutes), that person would not have either the account password or the hardware security key (because my hardware security key is on my keyring in my pocket, not plugged into my PC).

    As the family organizer for my family's 1Password Family subscription, I would also do the same thing for that subscription too.

    The above approach is basically what I do for all of the other systems I manage for my employer, for other organizations, and for myself and my family, and it works really well. For example, I have separate Google Workspace user and admin accounts, separate Microsoft 365 user and admin accounts, etc. Since I only login to the admin accounts as needed to perform specific, discrete tasks, and then logout when completed, it greatly reduces the chances of getting phished, and it also makes it much less likely that the admin account could otherwise be compromised and used to do mischief.

    Additionally, would you prefer to share a single admin user with multiple people (this could create problems for auditing who took what action), or would you want each owner/admin/family organizer to have their own admin account?

    For our 1Password Business subscription, I would definitely want to have separate admin accounts for each person serving in that capacity. That's a policy/requirement we follow for our all of our systems, both so that we can audit who performs what actions and so that we can easily shut down a particular admin account when that person leaves or if that person's admin account was compromised somehow (e.g., [email protected] for admin, [email protected] for regular user, [email protected] for admin, [email protected] for regular user, etc.).

    For my family 1Password subscription, we'd probably just have one family organizer/admin account, which I could share with other family members if needed/desired. (At least in my family, I'm not concerned about needing to audit who performed admin actions or being able to remove an admin account assigned to a particular person. If an admin function was performed, I would know it was either me or my wife, and I can't think of a situation in which it would be important to document which of us did it.)

    I'd like to better understand your use cases for how these admin users will be used.

    Basically, I would not login to 1Password desktop, mobile, or browser apps/extensions using the 1Password admin account (because that account would not be able to view any vaults). I would only login via 1Password.com using a separate incognito/private browser window, and I would only login when I needed to perform a specific task (e.g., approve a new team member to join the 1Password Business subscription, manage groups, help someone with account recovery, make changes to our subscription security settings, view company wide reports, etc.). I would then logout of 1Password and close the incognito/browser window. (This is how I handle performing admin functions for the other admin systems I manage, like Microsoft 365, Google Workspace, etc.)

    Is there anything else you'd like to add? Once I hear back from you both, I'll share your request with our product team for their consideration.

    In short, I think this is a pretty standard, basic feature of online systems/solutions, and I'd really like to see it as an option for 1Password too. But just as we don't have to pay Microsoft for licenses for everyone on the admin team to have admin-only Microsoft 365 accounts, I'd prefer not to have to pay for everyone on the admin team to have both admin 1Password accounts and regular 1Password accounts. I realize it would require creating a new account type that can only manage vault and can't view/edit items inside of vaults, but hopefully that wouldn't be too challenging from an engineering standpoint.

    Thanks for passing this along to the product team! :-)

  • Hello @YellowVista,

    Thanks for sharing all of this with me. I've relayed your request to our product team for their consideration. We appreciate your contribution to 1Password's evolution.

    Have a great weekend,

    ref: pb-31239776

  • ScottS1P
    edited February 2023

    Hello @NTOrMsma,

    If you'd like to have separate admin users within a 1Password families subscription, this may already be possible, with or without an added cost. Family subscriptions include a set number of seats for a fixed rate, so you may be able to "invite" another email address to serve as an admin. If your family has already used all of the included seats, it is possible to grow beyond the five family member limit by paying an additional fee for extra family members. If you have any questions about this, send an email to [email protected] and we'd be glad to discuss the options available to you and provide next steps for you to get started. Please include a link to this community thread and mention your username so we can continue where we left off.

    Thank you,

  • YellowVista
    YellowVista
    Community Member

    Thanks @ScottS1P. I hope you have a great weekend too!

  • On behalf of Scott, you're most welcome. Let our team know if we can be of any help in the future. 👋

This discussion has been closed.