Questions regarding who holds the keys in a 1Password Business, Teams or Families account

System
System
edited November 2023 in Business and Teams
This discussion was created from comments split from: Okta Breach.

Comments

  • Pleonasm
    Pleonasm
    Community Member

    @Dave_1P, I wonder if the above statement "All of the information stored in 1Password accounts is end-to-end encrypted, and only the person who creates an account holds the keys" (October 30, 2023) needs clarification?

    Is it not the case that accounts in a Family, Teams, or Business plan are most commonly members of a recovery group, and a recovery group member also "holds the keys" in addition to the "person who creates an account"? (Please see Figure 25 in the 1Password Security Design whitepaper.) I understand that 1Password appropriately has restrictions in place that prevent a recovery group member from accessing the contents of a member's vaults. Nonetheless, the quoted statement - and others by 1Password such as "The information you store in 1Password is encrypted, and only you hold the keys to decrypt it" (see here) appear to be less than completely correct (with some exceptions, such as Individual accounts which are not members of a recovery group).

    I am not suggesting that 1Password is defective, nor am I trying to be pedantic. I am only suggesting that it may be beneficial for 1Password to be more precise when describing who "holds the keys," since this is a fundamental consideration in a security architecture.

    Am I mistaken?

  • Dave_1P
    Dave_1P
    edited November 2023

    @Pleonasm

    Thanks for the question, since it's not directly related to the other thread I've split it into a dedicated thread in our business support section. This is where my colleagues who are the most knowledgable about how 1Password Business works tend to spend the most time.

    The purpose of 1Password security design is to ensure that your data cannot be accessed by anyone else, including 1Password itself. Joining a 1Password Families or Business/Teams membership allows for your family or team to help you recover your access if you lose it but it doesn't give your family or team access to your items. The organization, or family organizer, helps create accounts for their individual team and family members; 1Password itself never has access to the keys.

    Starting on page 54 of our Security White Paper we go into more detail about how recovery groups work and how this process is designed to provide disaster recovery options while still keeping everyone's data safe.

    -Dave

This discussion has been closed.