Sharing credentials with other team members
I'm looking at password managers for teams and 1Password has a really good reputation but the sharing seems kind of... messed up basically so I'd like to be sure if I understand right.
It appears to only let you share at vault level so if you've got a single cred that needs sharing with a single person outside your own team and you need another vault with that single cred in it.
Have I missed something as that seems backward?
I don't want 50 vaults just because I might have 1 cred that needs sharing with 2 random team members and another cred that needs sharing with 2 other random team members and so on....
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @musicwallaby! Welcome to the forum :chuffed:
Correct; sharing in 1Password is done at the vault level. This reduces the workload for account administrators in the long run, as you don't have to worry about managing permissions on an item-by-item basis (that kind of management does not scale well!). When thinking about the structure and organisation of your data, we suggest thinking along the lines of purpose and access level instead of organisational structure - this will help when thinking about what way to set up your vaults, and split your information between them. For example, if you need to share one or two items with a limited number of people because you and they are involved in a special project together, then consider creating a vault for the use of that project team, and store project-related items there. We have a blog post which touches on some of the theory of vault structure which you might find helpful here: https://blog.agilebits.com/2017/04/19/get-to-know-1password-teams-vaults-and-sharing/
Additionally, we do have a beta feature available to Teams Standard and Teams Pro customers, which allows you to send a copy of an item to another member or members. This is useful when you need to share a limited amount of information with a small audience; for example, providing a new hire their initial login details. Beta features can be enabled for an account by any account owner (in the web interface for the account, click "Settings" in the sidebar, and then click the "Beta" tab). The "Send a copy..." feature can then be found in the share menu for any item in the web interface (requires the appropriate permissions on the vault that contains the original item); click the Share button, choose "Send a copy...", select the member or members you want to send a copy of the item to, and click "Done". The members will receive a copy of the original item in their "Private" vaults.
I hope that helps! :+1:
0 -
Thanks John it isn't the answer I was hoping for but if that's what it is that's what it is.
I'm reading up on teams and will most likely do a trial as it does have some really cool stuff in it like the TOTP generator.
I'm still surprised there don't appear to be more "enterprise" options around things like backup/export of the whole "account" as I'm sure many organisations have backup processes where they require this but it looks like it's possible to export @ vault level.
0 -
@musicwallaby: I hear you. We'd like it to be easier too, and it's something we'll continue to work on. Sharing is easy, but secure sharing is much harder, as keys need to be exchanged for both parties to be able to decrypt the data without allowing anyone else to. Admittedly, we've sort of dug ourselves a ditch here by making 1Password not shove this complexity in the user's face, so it appears like it should be trivial to do this. We'll see what we can come up with.
Regarding account backup, that's a pretty big can of worms. Certainly that would be useful to some, but we also have to consider that this could be a regulatory and/or security concern for many companies. So it isn't something we'll do without listening to more feedback and coming up with something that benefits those that can use it without putting others in an awkward position. Thank you for sharing your thoughts, and if you have any more we're all ears! :)
0 -
@brenty thank you :) Do you have any security papers other than the "master" white paper on your security model please?
Also not sure I get your point re backups? What industry would not want to be able to know they safely have an export/backup of their data?
0 -
@musicwallaby: I'm not sure I'd call it an "industry" thing, but in many cases where and how data is stored must meet very specific criteria. For example, 1Password.com is HIPAA compliant, but Bob's USB drive or whatever probably isn't. Backups are done automatically, versioned, hosted, and stored redundantly on the server itself, so all of this is self-contained and meets the same compliance standards. Export is available in the native desktop apps, if that helps.
The white paper is the big one, and covers pretty much everything, but our support site and blog have some great articles on our security model and philosophy as well. I hope this helps. Be sure to let me know if you have any other questions! :)
0 -
I also would like to add voice to this issue. As a 1Password user for over 3 years, this is single handedly the most problematic issue I am facing since rolling out 1password on a company level. We have client vaults with 20 items in it that include API Keys, Access credentials to resources that are used for each client and that are used by the Client Support team. I have a new hire and I do not want to give them access to ALL 10 items. Perhaps they may need access to only 3 things. But at the same time, making another vault or sharing a copy with them also makes no sense as I would like the person to receive updates to the item. If I share a copy, than once a password is updated in the client vault for all team members, I need to remember to update it in a copy that I have shared with the new hire or inside a vault I have created with a new person.
I think item level access would be much more pragmatic and I respectfully disagree with "it does not scale well" argument as I am jet to see a pragmatic example of such scaling issue. Thanks for great product, otherwise.0 -
@Kirill_K2M: If you look at the security design (white paper) you'll note that secure sharing works because vaults are containers whose keys can be shared within the team (family, business, etc.) Secure sharing on a per-item level could theoretically work the same (and use a completely new vault for each item) but be abstracted from the user in the UI. However, that's a lot more crypto going on behind the scenes, both to set all of this up and also maintain it by encrypting data with brand new keys each time someone wants to share a different item. And even then, how does the user access those? Vaults make it easy to find stuff. I'm not sure how it could be usable if there's just a big mess of individually shared items. Certainly it may be possible to find an elegant solution. But that's what I mean about scalability: both under the hood and user-facing.
0 -
Thanks @brenty that makes total sense.
0 -
@Kirill_K2M: Nevertheless, it's not ideal. We'd love to be able to offer something like what you're looking for. But we want to make sure that if and when we do, it's both secure and usable. Hopefully someday we'll be able to make that a reality. Thanks so much for your passion and feedback on this! :)
0 -
Hi Brenty,
We are looking to transition from Lastpass and we like the ability to share a password without revealing the password. Is that what you mean by 'secure share'? and is that not possible with 1password?
0 -
It is possible to not grant someone the “reveal” permission on a vault, however it is very important to note that this is strictly security through obscurity and that a technically inclined user will be able to obtain the password (regardless of what password management solution you use) by pulling it out of the web form that it is filled into in their web browser.
Ben
0