To protect your privacy: email us with billing or account questions instead of posting here.

1Password personal (families) membership on work computer?

nettle
nettle
Community Member

I couldn't find a clear reference document for this on the 1Password website (maybe I was just looking in the wrong place), but does the license for a personal 1Password families membership allow me to use that 1Password membership on a work-provided computer (one that I use but don't own)?

If yes, does it have to be purely for use with personal credentials? (e.g. if I want to be able to access some personal stuff while at work)

And, is the situation any different if I want to use the 1Password desktop app vs 1Password in the browser?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • @nettle

    There are many folks here in the community who use 1Password along side their business accounts. If you're going to do something like that, I would highly recommend double checking your security settings to prevent access when away from your device. It never hurts to review those periodically anyway, especially in a shared computer environment. Some users have created a guest accounts and use it on the work device. They only place needed logins in the guest account vault to limit the possible exposure of personal data.

    If it's just you and you work remotely or in a more secure environment you may not need these options.

    When you have a 1Password membership, you can access your data everywhere you need it.

  • nettle
    nettle
    Community Member

    Thank you very much @ag_tommy, and sorry for the delay in getting back to you. Good to know that there's no problem using my personal 1Password account on a work-provided computer.

    About the security issues, is this presumably because I'm not the only person with admin access to the work-provided computer? So the motivation behind limiting exposure with a guest vault is not just because of physical access to the machine (which I'm not too worried about) but also because I might not fully trust whoever has root access?

    Presumably I could do pretty much the same with another family member account, if I still have a "spare" seat in my family plan?

  • @nettle

    Apologies for not being clearer. I've seen some folks share their password for their 1Password account and share personal vaults with multiple employee's. Basically they have a single OS user account and a single instance of 1Password. It's much more secure to compartmentalize what you share and with whom.

    Create a device login for yourself and make sure you lock your device when stepping away. If so, you'll be good to go. I prefer the full device lock myself.

    If you prefer a trimmed down approach. Create a OS login for yourself and then use a guest account.

    If you're unable to create a new OS login and must share the device with other users. You can install 1Password and make sure to lock when you step away. You might prefer to install 1Password in the browser only. That way 1Password will lock if you close the browser.

    If you're unable to create a new OS login and must share the device with other users. You can install 1Password and make sure to lock when you step away. You can use the guest account so that all of your details (personal) are not shared if you leave the device unlocked.

    All this can be further augmented buy adjusting your autolock settings. Yes, you can use another family account instead of a guest account. Some folks do that too.

  • nettle
    nettle
    Community Member

    Thanks again @ag_tommy, and sorry for not understanding it quicker!

    In my case, on the work computer, I have my own user account in macOS (I assume this is what you mean by an "OS login" for myself — is that also what you mean by "device login" for myself?), but as it's managed and owned by work IT another person may have admin access to the machine (even if I'm the only person normally using it).

    Under these circumstances, does this mean that you'd recommend using the guest 1Password account only?

    Or, when you wrote "Create a device login for yourself and make sure you lock your device when stepping away. If so, you'll be good to go" does that mean that as long as I'm the only person using my macOS user account I would be OK? I assume it really depends on how much I trust the work IT team, since — as they have admin access, and it's not my own machine — they could presumably do whatever they want in theory.

  • Hey Nettle

    No worries at all.

    Yep, your macOS user account. So you're likely good there, being the only user. The device would refer to the physical device and ensure you have good locking habits. Generally, this can be as simple as adjusting your autolock settings.

    🔒 How to set 1Password to lock automatically

    The scenario I presented was where you're working away and then get up to go get a coffee while at the office. If you left your device unlocked and if you left 1Password unlocked, someone could come up as you left and look at your secrets. That's why, in a shared environment (thinking close quarters), it's best to use good security practices. When you get up, you lock the device. This protects all of the data on the device as well as in 1Password. If you work remotely, you may not need as stringent locking habits, but I recommend getting into a routine and doing it everywhere. Then, it'll become second nature to always lock the device when leaving it unattended.

    I make use of Alfred for my locking needs and countless other needs. You could use macOS hot corners to activate a screensaver and have it require a password immediately. I also have this setup if I need to trigger a quick lock.

    Use hot corners on Mac - Apple Support

  • nettle
    nettle
    Community Member

    Thank you again @ag_tommy. I'm the only 'regular' user of the machine, with my own macOS user account, and I'm the only person with access to it on my desk. So, I'm not worried about someone coming up to the computer and looking at my secrets if I am getting a coffee.

    However, I assume my IT department also have admin access to (remotely) manage the machine. Do you mean that in this situation I can still assume that my 1Password access is secure within my own user account? Or, in theory, could IT access it? Presumably, if they have admin/root access, in theory they could do anything? This could be an argument for limiting exposure with a guest account. As it happens, I do trust them reasonably well, but I'm trying to understand what the risks may exist, even if only in theory.

  • If they have your password they could access your data. As long as you've not shared your account password with them your data will be safely secured behind your account password.

  • nettle
    nettle
    Community Member

    Thanks again! That's reassuring to know. I had assumed that with root access someone could (in theory) install a keylogger or whatever on the machine. By "account password" do you mean macOS user account password, or 1Password account password? They shouldn't have either, so it should be OK anyway, but I'm just curious...

  • @nettle

    When we say "account password" we mean the password that unlocks your 1Password account. Depending on your Mac, you might not need to enter this very often because you can unlock 1Password using Touch ID or an Apple Watch (on supported models of Mac).

    You mentioned root access; on recent versions of macOS the root user has been disabled and it's no longer possible to log in as root. The root user was something of a liability, security-wise, since it could do whatever it wanted, wherever it wanted, and very rarely be told "no" by the system. Modern administration tasks can be performed from a normal admin user or remotely controlled by a profile, so there's less need for it in almost all cases.

    In short, though: if you're concerned that there's something running on your Mac that shouldn't be, don't enter your account password until that's been mitigated. Remember, however, that somoene who knows your email address and account password still can't access your 1Password account from a new device because they need your Secret Key too.

    — Grey

  • nettle
    nettle
    Community Member

    Thank you very much @GreyM1P! That's very helpful to know (and interesting — I didn't know that the root user is now disabled by default). Then I'll exercise caution about using my 1Password account password, but will bear in mind what you say about someone not being able to access the 1Password account from a new device without the secret key. I am also using 2FA on my 1Password account, so there's that additional layer of protection.

  • @nettle – You're welcome! We'll be here if you need anything. :)

This discussion has been closed.