Prevent a family organizer from being able to initiate an account recovery for a family member?
Hypothetical scenario: hacker gains access to family organizer's 1Password account AND a family member's email. They can reset the family member's secret key and master password in order to get into their vault. Is there a way to prevent this from being possible? Using e-mail as a last line of defense isn't very encouraging. The user (me) who signed up for 1Password initially (GooglePlay gift card) doesn't appear to have a way to be downgraded from family organizer, they essentially have irrevocable admin privileges. Am I correct here - there's no way to disable family organizer assisted account recovery?
Separate question: If a family organizer's email account is compromised does that pose any security risk to the 1Password account if they don't have a recovery code setup?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
No, there is no way to disable the feature, well, except for leaving the family and moving your data to an individual membership outside of the family umbrella of accounts.
Even if someone gained access to the organizers email and account, the recovery email goes to you and you must accept it to complete the process. It's not a situation where the organizer sets a new password for you. It requires both the organizer and you to participate and complete the process.
The organizer's account is protected by their account password. Admin tasks are behind their password. I recommend everyone set up a recovery code. The most common situation I see is when an organizer forgets their password, which could halt/prevent any recoveries for family members. Then, they need to move to a new account. Because billing is behind the organizer's password, you would need to move to another account eventually. You could move your data provided you had your account password.
0
