Feature Request: On-demand download of credentials w/auditing to reduce work when team member leaves


Hi all

This is similar to e.g. https://discussions.agilebits.com/discussion/51453/feature-request-audit-feature-to-log-access-to-passwords but proposes a potential solution.

Basic scenario:
Team member leaves, and you need to reset every credential that they have ever had access to. Anything that has been downloaded to a personal laptop or mobile device of theirs that they could decrypt with a key in their possession must be considered compromised.

Current workarounds:
As far as I understand, the only way to deal with this currently is to partition credentials into relatively fine-grained vaults and then reset all credentials in all vaults that the user has ever had access to. Making vaults finer-grained than they need to be just to cut down on credential resets when someone leaves results in harder-to-understand sets of vaults and an increased maintenance burden day-to-day.

What won't work:
I have seen auditing suggested as a way to reduce the reset-everything burden. Perhaps this would work in organisations where the hardware is tightly controlled, all access is through official clients and the user is unable to physically download or copy vault files themselves (though I think even in this scenario it's trusting the user a lot). It would not work for us, where people use their own laptops and their own mobile devices.

I have also seen suggestions that due to the official client syncing revocations, auditing on its own would be enough. There really is nothing to stop someone from copying a team vault and opening it while offline or in some other way, before or after they leave the team.

Actual Feature Proposal:

Since the only way to be sure that someone hasn't used a particular credential is to not give it to them, this proposal is simply to not sync the secret parts of an entry until the user actually needs them. When a user needs a particular password the first time, 1Password can download it, and record at the 1Password server that the user has accessed that password. This would provide enough data to form a list of passwords that need changing when the user leaves the team.

I presume that this would be a fairly large change in the way that vaults are synced, so I'm not really expecting this any time soon. Without something equivalent it's difficult to see the team-member-leaves scenario getting much simpler then the current state od reset-the-world though.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • Hey @tomdgr

    Your feature proposal would indeed be a way that to ensure that the list of passwords that has been accessed by an individual is known. As you mentioned, this would be a significant change from how things are currently working. The passwords for a given item would have to be encrypted and stored separately from the rest of the item data (title, username, URL etc.). Most of the item data could be available locally so you see what Logins were available and whether you had a Login for a particular site. When the Login itself is meant to be filled then the encrypted password could be requested and logged as accessed.

    This would require that the customer be online and connected to 1Password for Teams, at least for passwords which have not previously been accessed. Which brings up another potential opportunity.

    As the above solution largely requires you to be connected to 1Password for Teams what if there were vaults which were only allowed to be accessed from the web app? These vaults would not be synced to the clients and be available online only. If the vault were accessed online only then we could reliably identify and track items which have had their passwords accessed. This, combined with appropriate partitioning of the vaults could be an answer as you could limit the most important, shared vaults to online only. This is a closer model to what we have today and could be provided more easily.


  • elyscape
    Community Member

    I think that's an interesting idea. It would be useful for organizations that need to be able to track this sort of thing.

  • AGAlumB
    1Password Alumni

    Thanks for the feedback! Perhaps this is something we can do in the future. :)

This discussion has been closed.