It's my understanding that 1P/Families admins can break into shared vaults even when there is no intention to share the contents of said vaults with the admin. In other words, other 1P/Families users must trust the account admins to respect the privacy of information stored in such shared vaults.
Can Travel Mode be used to provide other users of 1P/Families accounts with an additional level of protection when an admin is traveling? Stated differently, are there admin rights that can and should be disabled when a 1P/Families admin activates Travel Mode?
1Password Version: Families
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
@benfdc : that's an interesting question. That's certainly something that we're going to need to think about.
My gut says that it would only make sense if you took away the ability to turn off Travel Mode and require that another Admin/Family Organizer turn it off for you. Otherwise you're just hiding it behind a couple clicks. But then in a Family setting it's very likely that all family members would be traveling together and that would cause problems.
Currently Travel Mode is about limiting what's available in the apps and not about limiting the administration of the account. We'll have to think through a lot of things before we can start applying rules to the administration of the account based on Travel Mode.
On further reflection, this may not be the best solution to the problem.
It used to be—and may still be—that Windows users were advised to create a standard user account in addition to their machine's admin account, and to log into the admin account only when performing administrative tasks. The reasoning was that, on account of security considerations, it is unwise to do everyday work in an account with admin privileges. Some made the same recommendation for Mac users, on the ground that while the additional risk of working in an OS X admin account was lower than in the Windows world, it was still present.
Perhaps similar considerations apply to 1P/Families accounts that have admin privileges. Any thoughts on this?
Hrmmm... it'd certainly be possible to do that with 1Password Families, but I wonder if the limitations of the non-admin account would become annoying. The limitations there are based on the idea that the user is a dependent. For example our recommendation for a typical relationship with two adults would be to have both accounts be admins. If you aren't using the admin account much you'd want to make sure to keep its Secret Key and Master Password somewhere secure to make sure they aren't forgotten. Admin/Family Organizer status is more than just a flag on the account as those accounts actually have access to encryption keys that other accounts don't have and losing access to the admin account would be pretty bad.
If someone was to try that approach we'd love to hear about it. I don't think anyone inside of AgileBits has tried this yet.
This goes back to my grappling with the underlying rationale for Travel Mode: the premise is that there are things one might not want to travel with, but why exactly? Given that stuff in your 1Password vaults is only at risk if someone else can gain access to the app while it is unlocked, one threat we are addressing (indeed the principal threat to my way of thinking) is someone else being able to access the traveler's unlocked 1Password app. One thing I'm not clear on is whether 1P/Fam admin functions are accessible through the app or only by logging in to 1Password.com. If the latter, then admin features may be neither more nor less at risk than are the contents of non-traveling vaults: it mostly turns on whether you elect to store your 1P.com login credentials in a vault that you travel with.
I note that 1Password Teams supports 2FA for admin accounts, which reflects recognition that they may warrant greater protection. I don't know whether 2FA would be relevant here; I'm just raising the question whether the threat which Travel Mode is designed to address also implicates the safety of the data of non-traveling 1P/Families users and fishing for ideas on how this could be addressed.
I'm often better at raising good questions than I am at coming up with good answers!
At a minimum, this is a documentation issue. IMO it should be made very clear to all 1Password.com users that Travel Mode does not fully protect data removed from a device if the 1Password.com login is kept in a vault that stays on the device. In the context of that discussion, 1P/Families documentation should also flag the risks to the data of other family members when a 1P/Fam admin hits the road.
I'm going to toss in another thought. It strikes me as quite feasible to allow 1P/Fam admins to set up a distinct 1Password.com login password to access admin functions. If the admin elects to use this feature, an admin account would be indistinguishable from a non-admin account when the user logs in with the primary password. Basically, an attacker would have no way to determine that the accountholder is a 1P/Fam admin (unless of course the admin password was stored in a vault on the user's device).
This idea is inspired by, and would work the same way as, the option in TrueCrypt to create a second password that gives access to hidden features (in the case of that product, a second, hidden volume). It really has nothing to do with Travel Mode (other than the fact that it's a variation of another idea of mine that I have floated elsewhere, for an optional Travel Mode Management password).
I will try to address some of the points you raised in order of appearance, let's see if I can clarify the situation a little bit :)
You might or might not have heard about some things happening at the border of some countries, in which travelers were asked to unlock their devices and allow agents to access their data. The idea behind Travel Mode is to reduce the potential attack surface: the less information you have on your device, the less information you might be forced to give away.
Of course, the feature is optional. If you don't need it, if you don't travel, or if you don't ever find yourself in situations in which you could be asked to unlock your device, you can continue using 1Password as normal without ever enabling it.
Yep, and this is one of the points of travel mode. If your 1Password.com credentials are inside a vault that is not marked as safe for travel, those credentials won't be available on the device. In addition to this, most of the admin features are available on the Web interface and not inside the app (enabling and disabling Travel Mode can only be done from the Web interface for the same reason by the way).
2FA is a completely different topic, and doesn't come in the picture when we are dealing with Travel Mode.
As Rick mentioned, Travel Mode was introduced to limit the amount of information available on your personal device rather than to limit admin functionality, but we can certainly brainstorm how we could improve the feature to expand to this too.
Correct, but that's the point of travel mode, right? If something remains on the device, on a different vault perhaps, then it means that you have marked that vault as safe for travel. If you don't want that item to be still available in the app, you should move it in a vault that is marked as not safe for travel.
This is an interesting thought, thanks for sharing it. I think it might be worth thinking about this and seeing if it would make sense to implement something like this.
U.S. border officers aren't allowed to look at any data stored only in the "cloud" — including social media data — when they search U.S. travelers' phones, Customs and Border Protection acknowledged in a letter obtained Wednesday by NBC News.
Which is a great argument for using Travel Mode when crossing the U.S. border. :)
Which is why I posted it here!
Thank you for sharing @benfdc :+1: