Managing account keys for team members?
I'm wondering how other businesses with production rollouts of 1Password for Teams have their admins/users manage users' account keys.
My initial thought was to save all users' "emergency kits" in an encrypted folder on my computer, and restrict users from having access to their account keys. This would require my intervention any time someone wanted to set up a new device to use their vault, which I view as generally a good thing.
Then I realized that users can use their logged-in account to print out a new emergency kit PDF, or just reveal their account key, or the iOS app can generate a QR code to set up a new device. Also, I'd need to get involved any time users wipe their phone, or clear their browser cookies.
Clearly, users can log into their accounts on whatever devices/browsers they want without my help, and any restrictions we want on this need to come from policy and not crypto.
I'm not sure if there is any use in me maintaining an encrypted folder of all emergency kits either. It would only be useful if a user logged out of ALL 1Password sessions and didnt have an emergency kit saved, in which case I could give them their account key back without having to reset it (using my privileges as a member of the Recovery group). In this case, resetting the account key is no big deal.
Still, I don't want users saving PDF copies of their emergency kits, especially if I can recover all of their data for them even if no body has an emergency kit saved via Recovery group. These PDFs will end up all over the damn place: synced to iCloud accounts, synced to personal iCloud accounts and personal Macs with no security, left in download folders that are readable to any process run as the user on their computer, printed out on actual paper... basically the reason I'm using 1Password is to keep passwords from being strewn all over the place in text files, spreadsheets, Evernote, sticky notes, etc, and having these Emergency Kit PDFs downloadable by the user isn't something I want.
So now I'm thinking of just making a policy for my users: Don't ever download emergency kit PDFs, save them, or print them out, and never put your account key anywhere other than inside your 1Password personal vault itself. If you lose access to it, come see me. I'd be relying on them to follow this policy, which of course some wouldn't.
How do y'all deal with this? What are your suggestions?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Teams