Recovery in case of death or incapacitation

kimo254
kimo254
Community Member

This is a topic that has been raised b4 but I would like to bring it up again. 1password provides the Emergency Kit for recovery of an account which you'll have to print and physically store somewhere or somehow find a way to pass it to someone after you pass away.
This feature makes it almost impossible for anyone else to access your account. The comparison has been made with LastPass feature that allows a family member(that you've invited as an emergency contact) to request access to your account info. They can request access and if you don't respond after sometime like 6 months, they'll receive that information.
I moved from LastPass after a series of security breaches on their platform and sometimes bad UX.
I use Google Authenticator for 2FA. This adds more complications; even if I printed the emergency kit info and someone had access to it, unless they have access to my Google account(whose passwords are inside 1password)/authenticator app, they've no way to access my info.
I've seen enough discussions and it seems this is a much desired feature.
Even if it means submitting details of family members like photos and copies of the Ids/Passport, I'm requesting that 1password tries to implement this feature and get a simpler(not easy) way for someone to access the information in case of emergency. Currently there are just too many blockers for the emergency kit to be useful. For instance, a young person who lives alone will not be very comfortable handing over the emergency kit to anyone since it puts a lot of their info at risk regardless of the relation with the person. But that young person definitely wants someone to access that info(most importantly banking information) in case they pass away.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • Zaka7
    Zaka7
    Community Member

    @kimo254 Hi there, Firstly I think comparing to anything Lastpass do is a mistake for obvious reasons. My understanding is you have to make the system inherently less secure to follow that model as there has to be something 'known' by the system itself to enable access to be passed over, Which is not what any of us want. It is something that the guys at 1PW have been trying to come up with a way to solve from what I've seen over the years but they do not want to (rightly) risk the very reason most of us signed up here.

    I don't think you'd want to be leaving access to someone you didn't trust, so your statement about the young person living on there own, surely they wouldn't want someone accessing anything who they wouldn't trust to have the emergency kit to start with?

    One popular way is to have 2 or 3 emergency kits, all part filled and in different locations, one of which could be with you so you'd know if anything underhand was happening. You could also leave a phone code so that someone could access your Authy or Google Authenticator codes. Which again with you being around you'd know immediately.

    My personal method is slightly more robust in my opinion in that I have a family account and within the family account I have a shared vault called 'recovery' this contains a notes file with instructions to use that I have set up and so only with this notes file and the information it points too, could someone recover my account in my absence.

    It's that age old debate of security and practicality. One of the main reasons I came to 1PW is how much more secure it is compared to others. I'd personally rather having the complications of not having this feature vs having it but introducing needless risk.

  • kimo254
    kimo254
    Community Member

    @Zaka7 thanks for taking time to respond.

    "Firstly I think comparing to anything Lastpass do is a mistake for obvious reasons", I wasn't comparing the credibility of the two platforms, i was just comparing features which any platform can provide in whichever form regardless of the challenges LastPass has had security wise.

    "I don't think you'd want to be leaving access to someone you didn't trust,", that is why you provide a contact that you trust. You're not giving access to just anyone.

    "One popular way is to have 2 or 3 emergency kits, all part filled and in different locations,", this sounds like one of those movie puzzles. Incase of fire or a building collapse or even if you had it on you and get robbed, the account is irrecoverable.

    I understand your points and maybe there isn't an easy way to solve this without putting some part of the system at risk. None of the proposed solutions really provide a straight forward and "simple" way to recover the info. All involve some unconventional and almost infeasible way to handle this.

    Thanks either way, I'll try to find a way of ensuring that someone can have access to this information.

  • Zaka7
    Zaka7
    Community Member

    1 I wasn’t intending to be facetious, I was just stating that just because Lastpass have a feature doesn’t mean it’s as simple as that. It’s a security trade off which most users won’t want.

    2 My point was if you trust them why not trust them with the emergency kit to start with?

    3 I agree. But it’s not as difficult as it sounds. Honestly.

    4 I don’t believe ‘currently’ there is an easy solution that wouldn’t be detrimental to security. And I know which option the majority would rather be strong. I do agree my suggestions are a bit more taxing. But I don’t agree they’re infeasible. Both methods are pretty simple to actually do to be fair. Honestly 😀

    Have a great day.

  • dballing
    dballing
    Community Member

    @Zaka7 : I think the level of trust I have for a person after I'm deceased is dramatically different than the level of trust I have for a person when I'm alive. The level of willingness to accept that a person will be rooting around in my stuff "today" is different than my willingness to accept it -- as a necessity -- after I'm gone.

    I, too, think that the "print out the emergency kit" solution is a bad one, because that gives the holder of the emergency kit immediate access, rather than access only after death. Further, if we look at how the LastPass model works (by way of feature comparison) when someone tries to evoke that power, the account holder gets an ability to get in front of it and say "No!" which isn't how the Emergency Kit works at all.

    I understand that the data-model is different and it causes challenges, but these are not insurmountable challenges. For instance, a workflow of:

    • USER1 Asks EmergencyUser to be their death contact via 1Password
    • EmergencyUser accepts
    • USER1 is told "EmergencyUser has accepted your request, please enter your password now
    • USER1's Key and Password are encrypted and saved using EmergencyUser's Key and stored where 1Password can access them but EmergencyUser cannot

    At this point, there's a copy of the data which could be decrypted by EmergencyUser if it was made available to them but not by 1Password, who lacks both pieces of the puzzle (the same as they do for any password EmergencyUser has stored in their vault).

    Now, USER1 passes away (pour one out for USER1).

    • EmergencyUser says "Hey, 1Password, USER1 is dead, I need their credentials."
    • 1Password contacts USER1 and says (similar to LassPass) "EmergencyUser has asked for your credentials, please NAK within the amount of time you set earlier to prevent this from happening."
    • N days later, USER1's 1Password credentials are added to EmergencyUser's vault (which are still only accessible by EmergencyUser). At which point, they can log in as USER1 and do whatever they need to do.

    You could even be clever about it, which is to have the 1Password app recognize those credentials for what they are and have the app present the option to print out a completely filled out Emergency Kit (containing both the Key and Password for the deceased's account).

  • Zaka7
    Zaka7
    Community Member

    @dballing Whilst I understand and accept your opinion. I think if you don't trust someone now, why on earth would you trust them to do the right thing in the event of anything happening. My personal set up means that although my trusted contacts could in theory access my account now, I'd know about it before it happened so the risk is very very low.

    The emergency kit does not give immediate access if you have 2FA / Hardware keys.

    The emergency kit isn't perfect, but I like many others would be unwilling to accept a weakened security just to over come some legacy inconveniences when there are work arounds.

    If the team at 1PW in their usual way come up with a new alternative equally secure method then by all means bravo. But implementing a method like Lastpass has for me would mean I look elsewhere.

  • dballing
    dballing
    Community Member

    Whilst I understand and accept your opinion. I think if you don't trust someone now, why on earth would you trust them to do the right thing in the event of anything happening

    "Asked and answered."

    The emergency kit isn't perfect, but I like many others would be unwilling to accept a weakened security just to over come some legacy inconveniences when there are work arounds.

    The model I described above does not require "weakened security", so that's a red herring.

  • hs1827127
    hs1827127
    Community Member

    A model where the password and key are separated into multiple emergency kits by using shamirs secret sharing built into the application would be great. You can set up an "N out of M" scheme and distribute those kits to your family members. If you can trust that N people won't conspire against you, you'll be fine. SSS is mathematically proven to be secure, so it won't impact security.
    A matching recovery option in the apps or web would make it a lot more straight forward for family members to recover this.

    All in all, it would make it easier for people to set such a thing up securely and with a known procedure. If they don't trust in people completely, they could also put some shares in bank vaults (which will usually be accessible to heirs)

    1password could still add additional measures, such that if you have 2fa enabled, they cannot access your account - only after a 2 weeks grace period while you get notified via email that somebody has tried to access your account. (Or you make it completely manual by needing to contact support and need to prove that the account owner is incapacitated or dead in order to disable 2fa)

    Btw. the solution used by LastPass is pretty secure. They encrypt your vault key to a public key where only the users being allowed to recover have the private key. Then they store the encrypted version on their servers and release it only (with a grace period and notification) in case of an emergency. So they don't have a way to recover themselves. However it rests on the security of public key encryption which could be weakened by quantum computing.

    (I don't know why the didn't use SSS with N=M=2, which should be more secure and only as susceptible to quantum computing attacks as the base symmetric key encryption algorithm (AES-256))

  • ag_josephine
    ag_josephine
    1Password Alumni

    Hi @kimo254,

    There were several great points brought up so far however, the idea of how this should work is vastly different for each person and what might work great for one person, isn't so great for the next person - the current solution that we have in place, while not everyone's optimal option, works.

    We don't have any specific features for giving access to your account if you should pass but there is something you can do if you wanted to provide access to all of your items should it occur.

    Firstly, you can create a physical copy of your Emergency Kit with all of the details required to access your account and keep this as part of your will or stored in a known safe place so it can be given to a family member.

    Another option would be if you have a Family membership, if you're the organizer you can make someone else the organizer as well who can gain access to your account if you should pass, though you'll need to also create a shared vault for just you and them with your email log in item as they would need access to your emails in order to regain access to your account. For more information on account recovery you can find it here:

    With that said, while I can't make any promises, I've filed a feature request internally to bring this to the attention of our team. They regularly review feature requests from our customers to consider what should be added or changed to future versions of 1Password. Your feedback, along with feedback from each person within this thread, helps them immensely with their planning.

    Thank you again (everyone) for your suggestion(s), we appreciate your feedback and love hearing from you - Please let me know if you ever have other ideas on how we could improve 1Password or if there is anything else I can help you out with!

This discussion has been closed.