Account Recovery Bugs
A few bugs to report relating to account recovery:
Administrators can request that an account recovery begin but can't actually complete an account recovery. They see the button to complete it but receive a cryptic error upon clicking it.
Administrators can start an account recovery on a user in the "Recovery" group. If that user was the only one in the Recovery group (or you do it to all the users) you completely tank the ability for any users to ever be recovered (and those that you started will never be able to login again). According to support, the only way to proceed is to completely delete your account and start from scratch.
These are pretty product-breaking bugs -- we'll be more careful next time but a vindictive administrator can currently wipe your entire account. I hope they're fixed in the next beta!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @valvalis,
Thank you for listing these issues here. I am so sorry that you discovered them the hard way.
In the initial design we started with a separate Recovery group. Later, we found that very few teams have more than one person in the Recovery group and we changed things by making sure that all Admins and Owners to access to recovery. However, for this to work, the migration is required. It could only be performed by the members of Recovery group because only they have the access to the recovery keys.
The Admin Console should not be allowing the Admins to begin the recovery unless the migration is completed. We will make sure this issue is fixed tonight.
0 -
Hello, @roustem! :)
As @valvalis points out above, the current situation with Recovery is a cause for concern…
For example, may I ask what migration it is you are referring to? Every time we log into 1Password for Teams on the web, we see a notice about the account being "migrated" and the migration being "completed." It only takes a few seconds but it occurs every single time, which I find suspicious… Is this known behaviour?
In your reply above, as well as in the release notes for ßeta 62, you state that it is important for a team to have multiple Admins for Recovery to work. Yet, my understanding of 1Password for Teams is that any member of the Recovery group can recover any account, whether an Admin's or not. (This seems to have been confirmed by @rob's enlightening replies to my previous queries.)
Has this changed? If so, please keep in mind that not all Teams can afford to have multiple Admins or Owners. For example, in our current setup, all our users belong to the Recovery group because we trust them enough to help out each other (or to help me!) and not to do anything too silly, but I am the only Admin and I am not authorised to share the keys to my kingdom. I hope the Recovery group continues to exist (and work) so that I do not become a de facto single point of failure. :dizzy:
Is there any chance that the team could focus on Recovery, settle its behaviour once and for all, and document it? I feel we would all be able to invest more resources in 1Password for Teams (ultimately making for a much more productive beta period) if we were less concerned about Recovery failing us at the worst possible time. Our fears may well be unfounded, and probably are, but the current
www
is very tangled indeed.0 -
We meet again, @Deleted User! muah ha ha ha ha
Yes, we are slowly changing some aspects of Recovery. Here's the idea:
- Admins and Owners will always have Recovery ability even if they weren't added to the Recovery Group
- Those who are members of only the Recovery Group will continue to have the Recovery ability.
- We would like to eventually hide the Recovery Group entirely and have only Admin and Owner default groups. This is the part you don't want right now, and we are not doing it yet for several reasons, including the reasons you list.
We will eventually provide the ability to create custom groups with custom permissions. This may be limited based on the subscription plan that is chosen, so I don't want to guarantee anything for all team accounts, but it would let you create your own "Recovery-only" group if we do end up hiding the default Recovery Group.
The migration Roustem mentioned runs when someone in the Recovery Group signs in. If the Admin and Owner groups don't have the keys for Recovery, the migration adds them. I'm not sure why you're seeing the migration run every time you sign in. That isn't expected. We've only added that and one other client-side migration (creating the Team Members group), so you should only have seen it a maximum of twice so far. If you're still seeing it every time you sign in, could you check your browser console for any errors and let me know?
0 -
Hello, @Rob! :chuffed:
Thank you for all this extra information, which helps a good deal. I am sorry to hear that Recovery is still in such a state of flux, though: that will keep us on our toes for weeks, if not months to come, and I had dearly hoped that we could move on from the basics to focus on usability and other higher-level features.
I dearly hope that the Recovery group is not going away or being locked into some more expensive plan. I know the decision is not yours to make (or rather not exclusively yours to make), but differentiating plans based on core features as opposed to frivolous extras would be very fishy indeed. Providing the same level of security to all your users has always been a tenet of AgileBits, even when you moved your iOS apps to a freemium model, and I hope this fine tradition is here to stay.
The migration does run every time for our user accounts and I am afraid you are right: Console does display errors related to Recovery. Here they are below. Do they mean anything to you?
I must say that the message Migration Failed in Console is especially egregious given that the UI always shows a confirmation message with a green checkmark stating that it succeeded! I am all a shambles now, as this seems to imply that our Recovery group is not working as intended. Your reassuring comments would be most appreciated:
PUT https://XXXXXX.1password.com/api/v1/group/XXXXXX/recoverykeyset?__t=XXXXXX 434 Request XdAkU4URgY1XPNIySDqEAG-vTlM.js:320 Request '/api/v1/group/XXXXXX/recoverykeyset' failed: 434 () XdAkU4URgY1XPNIySDqEAG-vTlM.js:519 Failed to addRecoveryKeysetsToGroup: Cannot handle request. (110) a {code: 110, message: "Cannot handle request.", name: "ServerError"} XdAkU4URgY1XPNIySDqEAG-vTlM.js:582 Migrations failed: a {code: 110, message: "Cannot handle request.", name: "ServerError"} XdAkU4URgY1XPNIySDqEAG-vTlM.js:796 Uncaught (in promise) TypeError: Cannot read property 'memberships' of undefined(…)
Oh, I should also ask: when does the migration run? My understanding is that it only runs during a Web login, even though the 1Password for Teams model encourages users to focus on the native client applications. Does the migration run from the client apps, too? If not, how are users expected to know about the need to log in on the web to trigger it? This all seems depressingly ill designed… :angry:
0 -
Hi, @Deleted User.
I dearly hope that the Recovery group is not going away or being locked into some more expensive plan.
No, definitely not. Account recovery is one of the core features of 1Password for Teams and it will be available no matter which plan you choose. My comment about plans was in reference to custom groups and permissions. I don't know how all that will work out yet, but account recovery will not be excluded from a pricing plan.
I must say that the message Migration Failed in Console is especially egregious given that the UI always shows a confirmation message with a green checkmark stating that it succeeded!
Yes, when I started the migrations, I wanted to indicate that something was happening without giving users too much concern if it failed since it wasn't a process they initiated, so I chose not to display an error message but to log the message in the console for debugging purposes.
I am all a shambles now, as this seems to imply that our Recovery group is not working as intended. Your reassuring comments would be most appreciated.
Nothing is broken in your team. I found the reason that the migration keeps running (and thus the error keeps happening), but ironically it means that everything is actually working just fine. When we added the migration, we missed some details that cause it to run over and over again. The errors are simply the result of the fact that the migration has already successfully run and so it can't be done again. I'm going to disable the entire migration for now until we can get it working more reliably. I'm really sorry for the confusion.
Oh, I should also ask: when does the migration run? My understanding is that it only runs during a Web login, even though the 1Password for Teams model encourages users to focus on the native client applications. Does the migration run from the client apps, too? If not, how are users expected to know about the need to log in on the web to trigger it?
Yes, it runs only when signing into your account in the web browser. None of the migrations at this point are critical, and not every user will even have a migration run when they sign in (except for the errant one I discussed above). If there is a migration that has to be run by each user, we will most likely announce it in some way, but we haven't needed to do that at this point.
0 -
As always, thank you, @rob, for these extra details. :)
0 -
As always, you're welcome. :)
0 -
I just initiated an Account Recovery for one of our employees, who had lost their Account Key and was unable to join the team account without it. Upon him completing the Account Recovery, I got the email to Confirm Recovery, and when I tried to do so, it popped up the error "Failed to Complete Recovery" "Failed to find Keyset.....". What can I do to get his account confirmed? There are over a year's worth of saved passwords, etc. that he now doesn't have access to.
0