Emergency access to employee's passwords
We're currently evaluating 1Password for Teams. While normally we'd avoid accessing employee's passwords (they can share at their discretion), there will be occasional scenarios where an admin / recovery group member will need to get into an employee's personal vault (e.g. when an employee leaves the company, or an employee has a critical password in their personal vault and is on vacation, unreachable, and an emergency comes up that requires that password).
What's the best way to go about that? One idea I had is get into the employee's email account and reset their master password by performing a recovery. Would that work? Are there any other ways to accomplish this that aren't as intrusive?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Greetings, @alexadriaanse! That's a very good question. If you need to have access to an employee's passwords in an emergency, I'd recommend asking that they don't store stuff in their Personal vault, and instead create a new vault for them to store things in that is only shared with them and you or another admin. You could name it "Robert Personal" or something that works best for your team to differentiate the vault. They could then store their truly personal things (that are used outside of work) in their own 1Password account or a vault outside an account that is synced with their devices.
Right now, the closest thing to "emergency" access available in 1Password Teams — outside of you having their Emergency Kit with the Account Key and Master Password to their account — is account recovery. If they lose their Account Key or Master Password, an admin can recover their account so they can get a new set of credentials.
The reason we don't have the sort of emergency access you're looking for is because it's a touchy privacy issue. We've had some requests for disabling Personal vaults so things can just be in shared ones, but we've also had passionate users ask us if their admin will have access to all their passwords since their email address is in Google Apps and the admin can reset the password to that, then use the access to recover their account. Going in either direction just doesn't seem necessary right now. I'm glad you understand the intrusive side of things as well and you're looking to do this in a helpful way, and I think the use of a shared vault would work best.
Hope that helps, and let us know if you have any other questions. We're happy to help. :)
0