Multiple Teams?

This is question to the AgileBits folks more than anything.

Is it the intention that people will sign up for multiple team accounts? For example, I use a shared team with my girlfriend which is working out great. If I also use a shared team with my colleagues at work I'm going to need a separate account. Now imagine I also did some freelancing outside of my main job which many folks I know do, I'd potentially need another team there too.

Having multiple teams and therefore multiple master passwords to remember is actually hitting 1Password with a problem that the application itself was designed to solve. If the answer to this is to store the multiple master passwords in the (non-teams) "Primary" vault of pre-teams 1Password I'm not sure that's a great solution. For me for example, there's no chance of the multinational I work at certifying 1Password for deployment on the desktop, and even less of them allowing the connectivity to iCloud or Dropbox required in order for this to not be a standalone instance due to data leakage concerns.

I know we've not announced pricing yet, but in a multiple teams scenario are we expected to subscribe (and pay) separately for each team you are a member of? Or is the subscription linked to an email address? Can email addresses be linked to a single profile (e.g. corporate and personal) to join different portions of people's lives together?

I don't have any answers to any of the above, but I know what I would like to see! I think users would want to see all their stuff under one roof, with a single master password and a single account. I'd like my account to be able to be a member of multiple teams (like people are) and thus be able to see different vaults for different purposes, but still while logged into the same account. On my desktop at work, in two different tabs I might have open my personal google calendar next to my service desk ticketing system in another tab. The browser plugin (not that I'm allowed to install them!) would need to give me access to both.

As I was just thinking about a potential solution for this it got me to wondering truly how stuff in any online vault is secured... My potential solution was to be able to enter various Account Keys within a personal profile and thus have access to various team vaults (and the admin privileges for said vaults where it is granted be included with that). It's not a simple solution but then the work worth doing never is! Anyway, to the security of the online vaults...

I've read that there are three things which secure my data in 1P4T - SSL, the Account Key and my Master Password (https://support.1password.com/teams-admin-security/). My girlfriend and I have different master passwords yet we can access the same shared vault. It would appear then that the encryption must be based exclusively on the account key, is that correct? Presumably this is how a recovery admin can help out another user, as their master password isn't really forming part of the encryption process, but merely a login authenticator?

Can you please help steer my thinking and clear up any doubts on this? I'd also be interested to know what the thoughts are on folks needing access to multiple teams and how you intend (if you do) on solving that problem. Perhaps I've totally missed the point somewhere along the line!

Thanks for creating awesome tools.
Tom


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • julie-tx
    julie-tx
    1Password Alumni
    edited February 2018

    Tom -

    Thanks for the question.

    Yes, it is expected that users may be in multiple teams. Most everyone at AgileBits is a member of the AgileBits team, as well as their own family team. Others among us have special teams we've created for things like vendor relationships, so there are still more teams.

    The Account Key and Master Password don't directly secure the data which is stored in the server database. Those two items are used to derive an encryption key, which is then used to encrypt various other encryption keys. That eventually leads to an encryption key which is used to encryption the items within a shared vault.

    In the case of you and your partner, you each have different account keys and master passwords. Because they are different, they will result in two entirely different derived encryption keys -- which is fine. Those two different keys can then be used to encrypt separate copies of the common vault encryption key.

    We have a most excellent white paper (PDF) which describes this is far more detail.

    On to your other comments - the native client applications (1Password on your Mac or iOS device, etc.) do support multiple teams at the same time. I'm a member of three different teams and I routinely switch back and forth between AgileBits, family and vendors all day long.

    Give the white paper a good read and let us know if you have any more questions.

  • smallcheese
    smallcheese
    Community Member

    Thanks @julie-tx. So is it the case that you now have several master passwords to keep track of? How are you managing those? It's easier if you live in the apps (though I think there is an unresolved issue of deciding which master password is THE master password for unlocking the app - I know it's the first one added, but maybe that isn't preferable), but as I've suggested there may be those that will exclusively live in the web app, and with multiple teams that's not going to be much fun.

  • julie-tx
    julie-tx
    1Password Alumni

    @smallcheese -

    The recommended "best practice" is to have a single Master Password which was generated using a proper strong, random, unique password generator. That reduces the risk of forgetting one, and you should be using master passwords with enough strength that this isn't an issue.

    That said, mine are all different. I've been working with password systems for about 30 years and my brain seems comfortable cramming random gibberish into it for long term storage. You have to do what works for you.

  • smallcheese
    smallcheese
    Community Member

    @julie-tx

    Ok, that does simplify things, but still doesn't drastically improve the experience for those of us who (at work at least) are forced to live in the web app only world and keep logging in to different teams to access different passwords.

  • julie-tx
    julie-tx
    1Password Alumni

    @smallcheese - Thanks. I'd not considered users who are forced to use the web app and only the web app. You can log into multiple teams, one per tab or window. That doesn't help with seeing them all on the same page, however.

  • dixie_tech
    dixie_tech
    Community Member
    edited August 2016

    @julie-tx - Wondering it the multiple accounts under 1Password 6 Beta is being considered or at least for public release. Currently, I cannot see where I can sign multiple accounts. I have to sign-out of one and into another.

    Thanks

    Edit - I was a bit premature in my post. I was able to sign in multiple accounts, but was presented with a different issue. After signing into both teams accounts, 1password 6 beta requires the original account master password. If I sign-out of that original account, it does not revert to the second account master password, but uses the "signed out" accounts master password to open the vault for the "secondary" account.

    Any ideas?

  • Hi @dixie_tech,

    At present the first 1Password account you add to 1Password 6 for Windows will be the one who's Master Password you login to the app using. Hopefully in future iterations of 1Password 6 we can be more intelligent about which Master Password to use, especially in scenarios like the one you've described.

    Ben

  • dixie_tech
    dixie_tech
    Community Member

    Thanks @Ben

    How would I start over to only have 1 teams account with the desired master password? I tried removing the 1Pass app, removing the extensions and rebooting, then reinstalling everything. However, it still is requiring that first master password. Where is it storing that information? 1Pass build 6.0.184

  • @dixie_tech It sounds like you still need to refresh things. Here's how:

    How to start over with an empty vault

    Let us know how that goes! :)

  • dixie_tech
    dixie_tech
    Community Member

    @Jacob - Thanks for the info, but it referred to 1Password 4. I'm using 1Password6 Beta. @Ben - I found a setting in Options that allowed me to change the Master Password for the "device only" and will not update any 1Password account or remote vaults. This did the trick.

    Thanks for the help.

  • @dixie_tech Aha, very good point! Sorry about that. Since 1Password 6 is in beta, we haven't documented everything for it yet. I'm glad you found that bit of the Options screen though.

    If you do need to start over there, let's first enable hidden items in Explorer. Open a File Explorer window and click View in the top left, then check the box beside "Hidden items" in the right of the toolbar. Now open the C drive and navigate to Users/Your Username/AppData/Local/1Password. Delete the file that is named something like 20160514.sqlite, then launch 1Password and you should be all set!

    Hope that helps! :)

This discussion has been closed.