Feature Request: Sealed Envelope entry
I'd like to suggest a new entry type, "Sealed Envelope".
If opened by anyone other than the creator (or anyone at all if need be), it triggers an alert to everyone it has been shared with (or a designated list of email addresses?). Once opened it can be used as normal but cannot be resealed, a new Sealed Envelope would need to be created instead.
Sealed Envelopes should only be ever able to be opened while online to ensure the alert gets sent properly. Probably just set them to never get downloaded to a client until after the seal is broken. Give the user a warning before breaking the seal.
This would be a possible answer to the "In the event of my death" problem.
Alternatively have shared items that are "locked" with an additional PIN or password.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hello @airlie! 👋
Thank you for the suggestion! I've filed a feature request with our product team on your behalf. While I can't make any promises, the team will look into the feasibility of such a feature for future versions of 1Password.
This would be a possible answer to the "In the event of my death" problem.
For the time being, for estate planning purposes, you can print out the Emergency Kit and write down your account password. Then you can store the Emergency Kit in a personal safe or safe deposit box and leave instructions for your family or estate planner. Using the Emergency Kit your family or lawyer will be able to access your 1Password account.
We also have a great blog article about the topic: Digital estate planning is about organizing your digital assets and making arrangements for what should happen after your death. Here’s how to create your own plan.
I hope that helps! 🙂
-Dave
ref: PB-37294006
0 -
Thanks @airlie!
@Dave_1P, for estate planning, something like @airlie's suggestion is critical - I'm not going to write down a physical copy of the keys to my vaults in an Emergency Kit, unless I am sure that I would at the very least be notified in the case that that kit was used (abused) before my death.
1 -
If anyone ever uses your Emergency Kit to authenticate to your 1Password account, you'll receive an email letting you know that your 1Password account had been accessed from a new device, and you'll see that new device listed on your profile (in the top right corner) when logging into and accessing 1Password on the web.
That being said, I see that my colleague has already passed along your suggestion to the team in another thread. Thank you for the the feedback! 🙂
-Dave
1 -
Thank you @Dave_1P,
I am aware of the Emergency Kit option and that was what inspired my request. My concern is with family who lives far away from me, so getting them the updated Emergency Kit is difficult. Also I seal the Emergency Kit in an envelope and let the person know I will ask for it back whenever I update it. This allows me to have some confidence that they won't open it unless necessary.I think the technical back end might look something like this:
Make a Sealed Envelop 2 parts, one part is the entry that contains the data, the second part is a unique encryption key needed to decrypt the envelope. Set it so that one of the 2 parts (lets say, the Key) NEVER leaves the cloud. Users don't have to know about the 2 parts, just that it works.Keep the Key encrypted like everything else so that 1Password can't see the contents, but when we want to break the seal, we enter our password and the Key is downloaded and decrypted triggering an alert.
1Password (the company) still has no unencrypted user data and no keys to decrypt it themselves. 1Password would know of the existence of a Sealed Envelope, but nothing about it.
It would be best if the notification is managed by the cloud, not the end user client app.
0 -
@Dave_1P - to my understanding, the Emergency Kit gives immediate access to my passwords and access could be changed within minutes. So if I'm notified, I would have to act immediately, and if I'm not able to, then I potentially could be at risk. Is my understanding correct?
I like the Sealed Envelope better than the current Emergency Kit solution, and I like a "delayed access" feature even more.
0 -
I don't know if this Sealed Envelope feature is good. It entirely relies on proper operation of the 1Password servers, which is out of my control.
And if some malicious party is able to prevent the notification reaching me, for example by manipulating my email or whatever communication media is used, or my computer is temporarily sabotaged, I would not be able to detect if some sealed envelope has been opened against the agreement.
And the ability to immediately change a compromised emergency kit is not enough to prevent seal misuse. Consider this scenario:
Malicious party is opening the sealed envelope and gains access to the emergency kit of the account owner. He immediately signs in with the contained credentials, so his client downloads and caches all data. Some minutes later, the account owner detects the sealed envelope misuse and changes the secret key and creates a new emergency kit. A common scenario, as far as I see it.But the malicious party has already the complete account data - cached by the client he signed in with, from the time just before the secret key change. He just needs to keep the client from connecting to the 1Password servers, so the client doesn't detect the secret key has been changed. The cached data becomes stale and no updates, but the existing data is available.
0 -
@Tertius3 The entirety of 1Password relies on the proper operation of the 1Password servers, so I'm not sure why this would be any different. If a malicious party has that much control over your communications methods, I don't know that there is really any hope of keeping things secure. I would think 1Password would have in-app notifications in addition to email or other methods.
They could build into the Sealed Envelope a delay, possibly customizable by the envelope's creator, so that once broken the envelope wouldn't actually open for hours or even days. That would give the envelope owner time to see and react to the breaking of the seal notifications.
Two factor is a concern. They don't appear to support backup OTP codes, but that would be an easy solution. Or, your 2nd factor credentials could be simply be placed in a Sealed Envelope. You'd share 2 Sealed Envelopes, possibly even with different people to spread risk since they would both need to co-operate. 1 envelope would have your Emergency Kit, the second your 2nd factor credentials.
I think it's important to note that Emergency / In Case of Death access is not the only use of the Sealed Envelope idea, just the most prominent one.
0 -
You want to replace mathematical provable security with complicated manual security procedures. Any such procedure is not actually secure, because it needs to be enforced by some party, and people can circumvent or ignore procedures.
The ultimate question for a password manager for a digital inheritance functionality is this:
How can the password manager know that the information owner has died so his inheritance must be released?The answer is: it cannot. Not possible. There is no reliable connection between the death of a person and some digital notification. If someone doesn't answer or react any more, it's no proof this person is really dead.
A notary or a court can establish this and certify the death of a person, but this information is still not something that can be imported into the password manager to make the password manager trust this information.
What comes nearest to that is if you give your notary the emergency kit and mention in your will to whom the notary should give it after death. But currently, there is no digital equivalent of that path.
What you want is a less bureaucratic workaround that is operating on less security. A server controlled timeout is a somewhat easy concept but less secure, because it relies on a non certified non notary 3rd party (the server), and it assumes that absence means death. A choice one can make, but it is definitely only a procedure with all its security flaws, not mathematically provable security.
0 -
I would really love this feature!
Buti I wouldn't use it for the inheritance stuff - for that the printed out version is totally fine for me.I would like to have a pre step before actually using the emergency kit. Like I can't reach my partner but it's not already like... Days ago.
So I can break the seal and login to her airline account and look up what flight she's in. Or she already created a sealed entry with all details about her travel.I know for some it doesn't make any sense to not share travel details with the partner but for us right now it would be perfect to share something that's not supposed to be opened.
So the one party feels safe and prepared for anything that could happen but the other party don't need to feel controlled or watched.Also I can imagine other scenarios where I would tell my partner "please open the seal on xy and use it to do something for me I can't do right now by myself" without having to give here the information itself. Maybe I don't even have it at that moment.
So sharing something "in the event of" and not sharing it per-se would be a great feature!
0
