Vault Managers in 1P for Families?
Comments
-
I mention it in the "Migrating to Families - just not good enough" thread, if you want feedback bring it up there and I'll share my issues.
If you've got another thread going about that issue, we'll continue to assist you in that other thread so we don't get too far adrift here.
Yes, each user gets one automatically created "personal" vault which is private. My post was demonstrating how it's not possible for more than one user to have multiple personal vaults, which is something completely reasonable to expect especially if they are former 1Password users.
Family Organizers can have an unlimited number of private vaults. What prevents other family members from having multiple private vaults is that each vault must have at least on Family Organizer in it. Otherwise it would be impossible to manage the vault if no Family Organizer was in it. Family Members do not have the ability to manage vaults.
How should the single parent ensure they can recover their account?
I would suggest adding the person who would be the legal guardian of the child if the single parent passes away as a Family Organizer.
The grandparents want to have a shared vault between them, but not allow any of their kids access to it. How can they do this?
One of them would need to be a Family Organizer, or they would either need their own family account.
0 -
…now I'm stuck receiving notifications for what seems to have turned into a gripe session.
You can disable notifications for a thread by "unstarring" it at the top.
For some of the scenarios I'm seeing described in this thread, I think the original 1Password for individual users would be the better solution. Or 1Password for Teams. These would give the type of fine-grained control some users prefer.
Indeed. Or even a separate family account. Since, for example, grandparents and married adult siblings can be considered a separate family (at least they are considered separate to census takers anyway). :)
I might also suggest following the route my family has taken. I subscribed to a Families account, which I use for myself, my parents, and my girlfriend. I am the Organizer. My son-in-law also subscribed to a separate Families account for his immediate family.
Perfect!
For recovery purposes, I invited my son-in-law to join my Family as an Organizer, and he invited me to his Family, also as an Organizer. We essentially have two separate Family circles that overlap with me and him.
Another fantastic idea!
1Password is a complex service, with a lot of possibilities that are not always readily apparent. It will never be all things to all people, but I think there's very little you can't do with it...after a little mental mapping.
I know I am biased, but I tend to agree. Hopefully your suggestions will help some others as well. I really appreciate you taking the time to post them.
Please do let me know if you have any trouble disabling notifications for this (or any other thread). The last thing we'd ever want is to annoy you.
Cheers!
0 -
Family Organizers can have an unlimited number of private vaults.
For what definition of private? Since any family organizer can modify permissions on any shared vault, that doesn't meet my definition of private. It's not private if another Family Organizer can gain access at any time. Private means without having both my Account Key and Master Password, no one can ever get access to that data.
Using your example family where the parents are Family Organizers and children are Family Members, the following are impossible setups:
- A parent having multiple vaults no one else can access
- A parent sharing a vault with a child that the other parent can't access
- Children having a shared vault that the parents can't access
The only way a family organizer can have an unlimited number of private vaults is to be the sole Family Organizer, which goes against the recommendation for account recovery purposes. The only other option is to make local vaults and sync them using Dropbox.
There needs to be a way to keep "shared" vaults private from other Family Organizers in order for the product to be useful. The way it's currently designed completely goes against the philosophy of "your data is your data". AgileBits might not have a master key, but Family Organizers have access to every shared vault across the entire account.
I was excited to use 1Password for Families (when it finally supports Windows), and wanted to get my mother to use it. Even in this two person setup, I can't see any way forward as long as shared vaults are accessible to all family organizers. It's a deal breaker.
One of them would need to be a Family Organizer
That's not a solution. Since the Parents are also Family Organizers, they can modify the permissions to have access at any point. That leaves one solution: Spend more money on another Families account and lose the sharing functionality they signed up for in the first place.
What prevents other family members from having multiple private vaults is that each vault must have at least on Family Organizer in it. Otherwise it would be impossible to manage the vault if no Family Organizer was in it.
This is where I feel 1Password for Families got it completely wrong. Consider something more like the following:
Shared vaults are owned by the user who created it. The owner will always have access to the vault and can never have their access removed under any circumstance. The owner can change permissions, which includes read and write permissions, as well as permissions to "manage" the vault. Managing the vault means that person can also modify permissions of all other users except the owner.
That would solve every issue I've just brought up and allow for much more complicated setups without getting into the fine-grain control needed by Teams.
- Can users create multiple private vaults? Yes. Only the vault owner can change initial permissions, so no other Family Organizer can get access to it.
- Can the permissions ever get screwed up to the vault is "lost"? No. The owner owns can never have their permissions removed.
- Can family organizers be designated to manage the vault permissions? Yes, but only if the owner allows them.
- Can couples in the family have shared vaults that no one else can access? Yes. Family organizers have no longer have a master key.
Family Organizers should manage adding and removing users, as well as dealing with a user's recovery process. Vault management should either be available to all users, or a new user level should be introduced for users who would be comfortable with this feature.
0 -
Excellent point. Now is a great time to investigate 1Password for Teams since it is free while in beta. At least you'll see for yourself if it would be worth the extra cost for the additional features and flexibility.
Depending on your exact circumstances, it might make sense (and be less expensive) to have multiple family accounts rather than a single team. But it really does depend on your exact needs.
0 -
I just wanted to add I just ran into the same issue as the OP where I wanted to create vaults where I had nothing to do with them (I honestly would have rather the family member create the vault themselves, but one thing at a time :) . Just like the OP I'm planning to pay for the accounts of a bunch of my family members and all of them have spouses. I would like to be able to create spousal-sharing vaults like I have with my wife, but I really don't need -- or really should have -- access to the shared details like bank accounts between my e.g. sibling and their spouse.
0 -
That's really generous of you. I'm not sure that 1Password Families is designed for that particular (multi-family) use case, but it's certainly something we can consider as we continue to improve it. Thanks for the feedback! :)
0 -
I completely second this thread. I just signed up for 1P for Families and much to my surprise you cannot have individuals in the family with shared vaults between them where the organizer is not a member. This is a major deal breaker for me and would force me to stay with LastPass where you can be really granular in what you share. i.e. my father who is a member of my family may want to share some passwords with me but may not want me to have access to his shared vault with my mother for financial accounts. The use case you guys are only thinking about is where you have parents managing their younger kids. This won't work well for managing older individuals that may want privacy from the organizer. Personally, its not difficult for you all to implement this feature since 1P for Teams already has this feature. Otherwise, I recommend you update your marketing on the site around use cases since they are somewhat misleading in the real world.
0 -
I'll +1 on this as well .. Not a deal breaker, but it would have been better if the family members were their own vault manager, who can create and share vaults of their own making. The definition of Family, I believe, will be different for each customer and is beyond what your original thinking of what a family is.
0 -
Thanks for the continued feedback, folks. :)
Ben
0 -
I'll add that Family Organizers should not be allowed to add themselves to share a Vault they do not own (That would be up to the member who created the vault). Organizers should be limited to just be able to Add/Delete/Recover Family accounts
0 -
It is an interesting concept, and one that I'd personally not mind seeing implemented. :) We'll continue to mull this around as we move forward.
Ben
0 -
@bwoodruff it would be great if you guys could make an executive decision rather quickly here. It seems the features and functionality already exists in 1P for Teams so to add the feature would not require much heavy lifting on your part. My issue is that I just signed up for a 30 day trial and I am told that I would be grandfathered into the special spring promo where they give you 7 users and 2GB of secure storage and my subscription is expiring with LastPass in the next 30 days. So if i miss your spring promo and end up having to sign up for another year with LastPass I am likely to pass up (no pun) on 1P for Families altogether. Please don't misunderstand, I think you guys have a great company and product and the UI is definitely superior to LastPass, which is actually my reasoning for considering a swap, but these slight changes we are asking for are well handled by your competition and UI at the end of the day is a "nice to have". Remember, you guys are trying to woo prospective customers here onto a subscription service. Sure it doesn't sound like a lot of money at first, but most of us treat this as an insurance policy and will pay likely forever. So now is the time for action...
0 -
I appreciate that perspective, shmookles, but I'm not in a position to promise when / if this is the direction that we'll go. If this is a critical feature for you, and another service meets that need, they may be in a better position to serve you at this time. As I've mentioned a few times in this thread it is hopefully something that we can address in the future, but I cannot guarantee that we'll change our model to fit this particular use case.
Ben
0 -
@bwoodruff understood and we appreciate the transparency from you and your team as it allows us to make better decesions. Please keep us in the loop if anything changes.
0 -
You're very welcome. I wish I could provide a more encouraging answer, but I'd hate to over promise and under deliver.
Ben
0 -
@bwoodruff , is there any chance for 1Password for Teams to be offered at a lower price point for non-commercial users?
1Password for Teams with a family pricing model is what was originally advertised. Looking back at the original blog post which discussed using Teams for a family, the first comment made by Dave discussed how they are working on family pricing for Teams. When Families was officially announced it seemed like it was still Teams with a special pricing plan:
Last month I wrote about how I use 1Password for Teams with my family and the response was amazing. Many of you were excited to sign up your family and asked if we’d have special pricing available....
Today, I’m happy to announce that we succeeded! We’ve created a special plan with an amazing price just for families, and we went even further by making it easier than ever for families to use 1Password.
Still sounded to me like we were getting 1Password for Teams with a different pricing model, and not the current product that is 1Password for Families. The irony of it all is Dave's setup from the first blog post isn't even possible with 1Password for Families. He created an "Archive" vault that only he has access to, and during the comments for the Families blog he clearly just gave Sara access to his Archive vault:
So if we switch context to me and my family, I am able to restore access to Jack’s, Abby’s, or Sara’s accounts if any of them are unable to access their account. It’s pretty cool because I can choose to allow specific family members to be able to do the exact same thing for me. I did this for Sara, so I now have a great backup plan for emergencies.
I'm glad the AgileBits team is listening to feedback regarding these products, but I'd also like to know the roadmap before my 1Password for Families trial runs out so I understand my options going forward. If 1Password for Families will not be getting these types of features, is there any chance your team will revisit the original idea of having a different pricing plan for 1Password for Teams for those of us who may not want to use it for business purposes?
I've been using 1Password for nearly a decade and Dave's original blog post really sold me on using Teams for a family. I'd prefer to keep the Families account with the special pricing, but I'm not opposed to using Teams either, as long as it's affordable.
0 -
You make a very good point. I think that our plan shifted from just a "simple" pricing plan to a product tailored more specifically for families, which included some simplification from the administrative standpoint. This is a boon to a lot of folks, as they don't have such specific needs as you or me. But it does bring up the issues you mentioned.
Right now, I don't have any additional information about future pricing, but we are discussing these things internally. I am confident we can find a good solution that will work for the majority of families that don't want the complexity of administering a team account but still would like the flexibility that vault managers provide.
I can't make any promises, but I'm in agreement with you on these matters. :)
0 -
@BrianE any updates on your internal conversations regarding allowing users to manage their own vaults and not requiring organizers to be a member? We are so close to pulling the trigger on this, but migrating my entire family from LastPass will be a pain so I would love to know if you guys are going to make this happen on your end. Thanks!
0 -
Hi @shmookles,
BrianE doesn't work here, so I am going to assume you meant to direct your question to me. If not, my apologies for misunderstanding. 8-)
We don't normally pre-announce future release dates (of products or features), and in all honesty I can't even say that this will happen for sure. It is still being discussed. If you click the star at the top of this thread, you can receive email notifications for it. If and when we have more to say, you can be sure we'll post here. :+1:
0 -
Greetings. @bwoodruff asked me to help with a response to this conversation, and I thought I'd share some of how things work and why while we wait for him to post his response.
There are three attributes to security, all of which are equally important: Confidentiality (keeping secrets secret), Integrity (making sure the secrets don't get changed inappropriately) and Availability (making sure you can get your secrets when you want them). A product that doesn't ensure you can get your secrets back (Availability) is insecure, and that's why we have things like the Recovery capability. What that means is if you lose your cryptographic secrets, someone else can help you get your information back. Doing that requires that someone else have access to your cryptographic keys. Either we have them (bad idea) or someone else within your Family or Team has them (better idea).
Preventing other users from having access to a vault means you can lose all access to your data, permanently. Unless someone with the Recovery capability has cryptographic access to that vault's keys, there's simply no way to ever give your data back to you if you lose access to your secrets. They don't have to have access to the actual encrypted items to perform this function, and unless they have more than the "Recover" or "Manage" permission the server will not return the encrypted data to them. Having "Manage" or "Recover" gives them access to the encryption *KEYS* but not the encrypted *DATA*. I'm not sure if that's part of the misunderstanding. As others have noted, having "Manage" means the user can add themself as a regular user, and then they'll receive all of the data.
Everyone (excluding "Guest" users) does have a vault which does not grant "Manage" permission to the team owner or family organizer. That is the "Personal" vault. The server will prevent any team owner or family organizer from adding themself to that vault as an ordinary user of the vault, and the server will not allow permissions other than "Recover" to be added to a personal vault by another user. If you have information you want to protect from the team owner or family organizer, right now the only place to store it is in your existing "Personal" vault. Family organizers all have "Recover" access to personal vaults to ensure that family members never lose the ability to access their items -- so long as the 1Password Families account has a recovery plan in place.
It's true that the 1Password Teams product has finer-grained control over access rights. There is a lot of capability in the overall product that has yet to be fully exploited through the UI. The problem with a rich access control and permissions model is it may be overly complex and effectively unusable by some people. Unusable security isn't security -- a model that is so rich that no one can use it, or which has negative behavior if used carelessly, is a bad security model. This is why 1Password Families has a simplified security model. We had customers reporting problems with vaults because the "Administrators" group wasn't added when the vault was created, and thus there was no way to recover the vault.
@shmookles asked about the internal conversations. What I've written here -- we must have an understandable security model for 1Password Families -- is what I say internally. I also say things like "We should allow tech-savvy 1Password Families users to have access to the entire permissions management capability."
We have to pay attention to Availability as much as do to Confidentiality and that is what is driving a lot of these decisions. As @khad mentioned, we don't pre-announce products or product changes, but we are aware that there are customers who want finer-grained access control in their 1Password Families account.
0 -
Here is the reply I had written when I asked Julie to chime in on some of the security aspects.
is there any chance for 1Password for Teams to be offered at a lower price point for non-commercial users?
There has been some discussion about how to price Teams for non-profit organizations, I'm not aware of any discussion around special pricing for families that want to use Teams. That isn't to say that we wouldn't consider something in that regard.
it seemed like it was still Teams with a special pricing plan
Teams and Families are built in the same infrastructure, and share a lot of code, they are indeed separate offerings with different feature sets, and it is likely this will continue to be the case. Officially we're not calling 1Password for Families a "pricing plan of 1Password for Teams." They are marketed as separate products.
If families would like the full set of functions offered by 1Password for Teams they are of course welcome to sign up for that service, but that does come with its own pricing.
he clearly just gave Sara access to his Archive vault
No: he didn't. He made Sara an "Organizer" which means she could grant herself access to his archive vault, yes. But she doesn't have access to it. And if she ever added herself to it, he could see that.
Even if we end up taking away the ability for organizers to add themselves to vaults in the interface, in order to perform recovery they have to have all the keys. So while we may be able to make improvements from a UI perspective it will always be possible for anyone who is determined and who can perform the recovery function to decrypt any data created within their family.
Of course they would have to actually get their hands on the encrypted data in question, and also get their hands on their keys in some usable form. We have protections in place against that. But the main point being that if you do not trust someone, you should not make them an organizer.
On a technical level, if you want someone to be able to perform recovery, they also have to be able to decrypt your data. There is policy (in the form of code, not cryptography) in place that prevents them from doing so.
Ben
0 -
Hey everyone,
I am amazed that my initial post got backed by a lot of loyal (& future) 1P users. :)
When I initially asked I surely spanned the context a bit broader as I knew the concept of "Vault Managers" from the documentation of 1P for Teams. And as this was already available I thought "Wouldn't it be nice if I could apply this to my family to solve my 'problem'?".
Because in the end I only wanted to achieve the one thing that @julie-tx summarized nicely in her last reply:
There are three attributes to security, all of which are equally important: Confidentiality (keeping secrets secret), Integrity (making sure the secrets don't get changed inappropriately) and Availability (making sure you can get your secrets when you want them).
I saw this one pillar - confidentiality - endangered with the concept that is currently applied to 1P for Families.
Of course an owner is not automatically able to access all the data he/she wants. But if we are being honest to ourselves the ability to do so by adding themselves to the vault is almost the same.
Surely I also do not want to endanger the other pillars, specifically integrity as I know my beloved ones: "Password? Which password?", I am already hearing in my ears when my dad locked himself out and I (or my brother) need to jump in to help him :).
For the availability part I am clearly counting on you. I was so happy when you announced a family plan for your cloud edition of 1Password as I could immediately stop thinking about how, what and when to sync to keep all my devices up-to-date.
Before with a "standalone version", an "app store version", "dropbox sync", "wifi sync", "folder sync" and potentially 2-3 devices you want to keep up to date it was kind of messy, right?
So actually I am so happy about it that I am also considering to use this as a family of one. But actually having a real family, how sad would that be ;).
Summing it up:
I never wanted to overcomplicate things when asking for an advanced vault management. I just want to see all three pillars reflected in the offering.And coming back to my initial example: If I can access the secrets of my brother and his spouse that's not confidential to me anymore.
And yes the 'solution' to that might be multiple accounts to have different circles of confidentiality, but what am I supposed to do with "Pay $5 for up to 5 (7) members (monthly) & Up to 1 (2) GB of secure storage" if it is only me using the account?
Best & Happy weekend,
Martin0 -
@maxmustermann, I think you said it very well. It would indeed add a bit of complexity, so that is something we need to balance. We are definitely taking all these things into consideration as we move forward, but for now I think the suggestion to have multiple "circles of confidentiality" is actually a pretty good solution for a lot of folks. Others may wish to use 1Password for Teams instead.
I myself would like to see some improvements in this regard, but it hasn't yet been enough for my wife and I to use 1Password for Teams instead. For others — with more specific ideas about who they trust, how much they trust them, and whether or not they should even need to rely on trust when it comes to 1Password — it absolutely may be.
0 -
Hey @khad,
We are definitely taking all these things into consideration as we move forward
Thanks for that :) And I am looking forward to hear where the internal discussions brought you on this.
[...] but for now I think the suggestion to have multiple "circles of confidentiality" is actually a pretty good solution for a lot of folks
Unfortunately not for me. It takes some time to get a family of 5 (or 7) if I tell every (adult) family member to get an own account ;)
Others may wish to use 1Password for Teams instead.
That might be true, but as long as there is no final pricing on it I simply cannot tell if this is a way forward for me.
Best,
Martin0 -
1Password for Teams pricing is available on this page: https://1password.com/teams/pricing/
Subscribe before July 1st and get Pro for the Standard price.
0 -
Nice. I did not know that.
The last time I checked the Pricing link on the Teams page linked to: https://1password.com/pricing/
(Actually I checked 1 minute ago g)And wow: 5 instead of 15 dollar is a very generous offer!
However in the end that would mean that I would actually pay 30 (6 team accounts) dollars a month instead of 5 (1 family account).
So I guess I am seconding your statement for now:
I myself would like to see some improvements in this regard, but it hasn't yet been enough for my wife and I to use 1Password for Teams instead.
Best,
Martin0 -
Makes sense. And how could I disagree when you are quoting me? :)
0