Managing account keys for team members?
I'm wondering how other businesses with production rollouts of 1Password for Teams have their admins/users manage users' account keys.
My initial thought was to save all users' "emergency kits" in an encrypted folder on my computer, and restrict users from having access to their account keys. This would require my intervention any time someone wanted to set up a new device to use their vault, which I view as generally a good thing.
Then I realized that users can use their logged-in account to print out a new emergency kit PDF, or just reveal their account key, or the iOS app can generate a QR code to set up a new device. Also, I'd need to get involved any time users wipe their phone, or clear their browser cookies.
Clearly, users can log into their accounts on whatever devices/browsers they want without my help, and any restrictions we want on this need to come from policy and not crypto.
I'm not sure if there is any use in me maintaining an encrypted folder of all emergency kits either. It would only be useful if a user logged out of ALL 1Password sessions and didnt have an emergency kit saved, in which case I could give them their account key back without having to reset it (using my privileges as a member of the Recovery group). In this case, resetting the account key is no big deal.
Still, I don't want users saving PDF copies of their emergency kits, especially if I can recover all of their data for them even if no body has an emergency kit saved via Recovery group. These PDFs will end up all over the damn place: synced to iCloud accounts, synced to personal iCloud accounts and personal Macs with no security, left in download folders that are readable to any process run as the user on their computer, printed out on actual paper... basically the reason I'm using 1Password is to keep passwords from being strewn all over the place in text files, spreadsheets, Evernote, sticky notes, etc, and having these Emergency Kit PDFs downloadable by the user isn't something I want.
So now I'm thinking of just making a policy for my users: Don't ever download emergency kit PDFs, save them, or print them out, and never put your account key anywhere other than inside your 1Password personal vault itself. If you lose access to it, come see me. I'd be relying on them to follow this policy, which of course some wouldn't.
How do y'all deal with this? What are your suggestions?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Teams
Comments
-
Hi @dtemp_jg,
That's a good question. I love that you're thinking through all of this. You're right that it all boils down to policy. Here's what I would recommend:
- Make sure that you have more than 1 member in your recovery group. "Who recovers the recoverers?" is a real consideration.
- Have users choose a really strong Master Password
- Tell them not to worry about saving the Emergency Kit
- Tell them that to add a device, they should use an authorized device to provide the new device with the account details (typically via the QR code)
- Should a user find themselves signed out of their last device, you'll probably need to put them through Recovery
There's really no value in you saving the account details yourself. Use the recovery facility when needed.
Does that make sense?
Rick
0 -
Yes that makes sense Rick. I think I'll adjust your language in #3 from "not to worry" to "must not;" consider it a feature request in the admin settings to disable the PDF download button (even if they have access to their account keys, lets not make it stupid easy for them to plaster the key all over).
I'd like to confirm that using Recovery also recovers the contents of the user's Personal vault?
Finally, another feature request: add the Recovery group so that it is visible inside the Groups tab in the admin console. That I can only access the group by clicking on it within a group member's page seems like an oversight.
0 -
@dtemp_jg : yes recovery will recover the contents of the Personal vault.
I agree that it seems like an oversight that Recovery isn't available from the Groups page. I'll look into it and file a bug if needed. Thanks for mentioning it.
Rick
0