Make Vaults Without Team Owner Access?

Is it possible to create vaults in a 1Password team in a way that specific members can access them, but the team owner cannot?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hey @lucascantor

    When you create a Team vault the team owner will automatically be given manage only access to that vault. This means that they will be able to assign Team members to that vault, or change permissions to that vault. By default, owners are not able to view the contents of that vault, unless they were the one who created it. However... as they can manage that vault they could always choose to give themselves read permission, so you do have to treat them as someone who can access the vault contents.

    We want owners to have manage access to all shared vaults so that vaults do not become stranded. This ensures there is always someone on the team who can manage that vault. I would be curious to know under what scenarios you would like to create a vault that can not be managed by an Owner.

  • lucascantor
    lucascantor
    Community Member

    Hi @Jeff Shiner

    Thank you for the thorough explanation. The scenario I have in mind is the need to let my team members share vaults with each other while keeping them private from me for legal compliance requirements.

    Now that I've thought more about this though, as team owner and my team members' email service admin, I could in theory use the account recovery process to gain access to any privately shared or even personal vaults.

    As a family owner, however, I feel this could be a useful feature for other members of my family to share vaults while knowing they are kept private from me, and since I don't have admin control over my family members' personal email accounts, the vaults could be truly private.

  • Amarand
    Amarand
    Community Member
    edited March 2016

    I would be curious to know under what scenarios you would like to create a vault that can not be managed by an Owner.

    I'm just learning about 1Password Families, and am coming from a separate vaults situation. Two of us own our own separate copies of 1Password, and we each have our own vaults, which are synchronized through Dropbox. I think I chose Dropbox because there were issues with iCloud, cross-platform, encryption, something.

    So as a person who likes to keep vaults/access completely, 100% separate and private, is 1Password Families for me?

    I have a use case: a family of clients, both in the medical field, who want to be able to share some of their passwords (intentionally sharing one or two passwords out of, say, 100), while keeping the remaining passwords 100% secure - you know, for HIPAA-compliance and all that jazz.

    I don't want one of the people to be able to use an account recovery or security loophole to access the other's passwords. Is that even possible with 1Password Families? I know that (or I -feel- that), with 1Password installed on all of my computers and mobile devices, my vault is MY vault, and it's heavily encrypted. I share one or two of my passwords, but that's a "push" share. No one can "pull" from my vault or reset my vault's permissions without my passphrase, right? Does 1Password Families change this behavior?

    I have a bunch of clients in similar boats, and I need to be able to understand the differences security-wise between the standalone 1Password (which I love, and have easily sold to many customers with the promise that their vaults are super secure as long as they use good passphrases), and the 1Password Families environment. Most of the people I am selling this to aren't traditional "families" (although they are usually husband and wife - but professionals) as they are storing information that they need to keep confidential, even from their spouse (again, HIPAA, non-repudiation, etc.).

    Can you please explain the difference between these two? I feel bad hijacking this thread, but one of the Agilebits support reps got a little testy with someone else who'd duplicated efforts with a similar question. So...I ask here.

    In the end, and what's really important to me, is that I cannot (and will not) recommend 1Password Families to families that have security/privacy concerns until those security/privacy concerns are explained and vetted. 1Password is a known value, whereas the Families product is new and I haven't really seen much of an explanation of the differences between the products as they relate to security/privacy - which is paramount to the majority of the people I recommend this product to. Until I know, for certain, that families can use 1Password Families in the same way as they were using the original, separate 1Password vaults/environment, I'm going to need to continue (out of necessity) to recommend the original product.

    Thanks!

  • Thanks @lucascantor for the feedback

    I can see there being value in the ability to create family vaults where the owner does not have access. For example, in my family I could imagine a vault which is shared between my parents but not intended to be shared with me as the owner. Your teams scenario also makes sense, especially if access to the team members' email service wasn't available.

    I'm not sure if this is a feature we will be adding anytime soon to be honest, but having the scenarios will really help when it comes time to have that discussion.

  • ntimo
    ntimo
    Community Member
    edited March 2016

    @Jeff Shiner please add my vote for that. Also letting non admin owners create their own vaults would be really amazing. This would make families perfect for me and my family.

  • Jeff Shiner
    edited February 2018

    Hey @Amarand

    So as a person who likes to keep vaults/access completely, 100% separate and private, is 1Password Families for me?

    Absolutely! When using 1Password Families, each family member receives their very own Personal vault which is not shared by any other member of the Family. This allows each person to have their own separate and private vault of items. At the same time, you get all the other benefits of a Families account including the ability to create shared vaults and recover your family members' accounts if they forget their Master Password.

    I also think you may find a time when adding a shared vault becomes helpful. My 15 year old son just took a trip down to Texas with his coach and a few team members. It was his first international trip without us, his parents, tagging along. I created a "Texas Trip" vault and added all of his trip information there including all our Passports, Identities his trip health insurance, travel consent form and more. It was really nice to have all of that in a separate vault that he could access easily from his phone.

    I don't want one of the people to be able to use an account recovery or security loophole to access the other's passwords. Is that even possible with 1Password Families?

    With 1Password Families, no one knows your Master Password (or Account Key) but yourself. We at AgileBits have absolutely no way to recover your data if you forget your Master Password or lose your Account Key (since you have end-to-end security).

    There are, however, differences between 1Password local and 1Password Families. An important example is that with 1Password Families we allow account owners a way to recover accounts within that Family. Owners of the family account have Recovery access to all vaults within that account. This access allows them to recover vault access for a family member if they forget their Master Password. It is important to note however that this Recovery access does not give them access to that family member's data. As the owner, you will control who has access to the Recovery feature. You may grant as many Family members Recovery access as you wish. We recommend at least two so owners aren't locked out of their own accounts.

    Recovering a family member's account will send an them an email with a link whereby they can choose a new Master Password. The Family member must be able to access their email account and it must be protected in order to prevent someone else from intercepting the recovery link. Once that has been completed the Owner can complete recovery, allowing them to regain access to their vaults.

    To better understand how Recovery works we have a detailed Security Whitepaper which talks through not only Recovery, but in fact many different security aspects and features. It is quite an in-depth read, but I think you will enjoy it.

    I hope that helps!

  • Amarand
    Amarand
    Community Member

    Awesome, thanks! Lots of information to review, and hopefully that will address concerns, or at least let me know what to explain to customers as far as how it all works!

  • Amarand
    Amarand
    Community Member

    Also, as an aside, although it's awesome to have the ability and flexibility to, say, create a vault with the "option" enabled for recovery, it might be prudent to have a feature enabled/disabled at time of a vault's creation, which says explicitly that the vault is not recoverable without the original Master Password. I'd be willing to take the risk of losing an entire private vault, if I knew that vault was only accessible by me. Maybe with two-factor authentication tied to a phone or something, with backup codes? A lot of places do that. Then you could lock your backup codes in a safe, or include them in a will, so the executor could let someone unlock your codes after you pass (a good thing), but you could NOT unlock things otherwise.

    The Owner could then set-up shared vaults like the Texas Trip you mentioned, have a vault that is shared just between the two parents, but also have a private vault for work/business items that need to be kept strictly confidential with no recovery method available. If you lock your iPhone because you forget your PIN, the data's gone unless you have a backup. I envision a spectrum of security for 1Password that is similar: wide open to completely locked-down.

  • @Amarand, those are very interesting points. I think it makes a lot of sense, and I could see us providing an option like that at some point in the future. It's not something we'll be able to address in the short term, but it will be interesting to see what kinds of enhancements like that we can offer in the future! For now, you can still create a completely private local vault outside of the team or family account, or even your own personal team account just for yourself. :)

This discussion has been closed.