Migrating family license to families subscription questions

warpspeed

I'm considering moving over from a families license to families subscription. I have a few functionality queries.

1. I read that in the subscription model that users can have a "private" vault that isn't accessible to anyone but themselves. Is it possible to not use this? and to make sure that new items are always created in a shared vault?
2. I use multiple vaults for separating my personal and work and other items. Is it possible to have multiple private personal vaults that aren't accessible by others in the family group?
3. What happens if the account isn't paid? What happens to the data, does it just become read only? or does it become inaccessible? are logins blocked?
4. What happens if the family organiser passes away? can this be transferred to another person?
5. What happens if 1pasword servers are not reachable? is all data cached locally? how long can 1Password operate without connecting to the 1password servers or data?
6. What happens if there is a sync conflict or two people try to update the same entry at once?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Ben

Hi @warpspeed

I’d be happy to help answer these questions for you.

I read that in the subscription model that users can have a "private" vault that isn't accessible to anyone but themselves. Is it possible to not use this? and to make sure that new items are always created in a shared vault?

It is. In 1Password > Preferences > All Vaults you can uncheck the Private vault and then set the Vault for Saving to a more appropriate option.

I use multiple vaults for separating my personal and work and other items. Is it possible to have multiple private personal vaults that aren't accessible by others in the family group?

There seems to be some misunderstanding on this concept. While there can only be one “Private” vault per person shared vaults are only accessible to the people who the family organizer or vault creator grants access. The difficulty comes in if you have family organizers that you don’t trust to not give themselves access to your non-Private vaults. That is something that remains unsolved from a technological perspective.

What happens if the account isn't paid? What happens to the data, does it just become read only? or does it become inaccessible? are logins blocked?

You can read about that here:

If your 1Password account is frozen

What happens if the family organiser passes away? can this be transferred to another person?

No. But you can have multiple family organizers, or the family organizer can leave a filled-in copy of their Emergency Kit in a safe spot like a safety deposit box or with their attorney.

What happens if 1pasword servers are not reachable? is all data cached locally? how long can 1Password operate without connecting to the 1password servers or data?

The data is cached and there is no timeout at present. I.e. It won’t intentionally stop allowing you to access that cached data after a period of time. Will it still actually be practical to access that data if you haven’t connected to 1Password.com or updated 1Password in 10 years (i.e. doomsday scenario)... probably not. If that were to be the case you’d likely want to export your data instead of working from the cache.

What happens if there is a sync conflict or two people try to update the same entry at once?

In most cases this will happen exactly as you’d hope it would: the changes will be merged and the resulting item will appear the same as if the edits were made at different points in time. The tricky bit is if both users edit the same field at the same time. In this case a ‘conflicts’ section will be added to the item with the conflicting information.

Ben

warpspeed

Thanks for the answers @Ben - I have a few more that I hope you're able to answer.

How does the security work in relation to my.1password.com ?

i.e. with the secret key and master password ?

This, to me, (along with a keyboard logger/malware on a machine) seems like one of the weakest links.. i.e. a candidate for phishing the secure details from a user.

my.1password.com seems like a prime target for a phishing attack.

In relation to that, what mechanisms are in place to make users aware if questionable actions are taking place?

For example are there email and/or push notifications to the mobile apps for authorisation and/or notification of new users or new devices attempting to login?

i.e. say for example someone gets their secret key and master password phished. Will they know?

Is there a process to re-enroll data using a new secret key if it gets compromised? (master password aside)

AGAlumB

Thanks for the answers @Ben - I have a few more that I hope you're able to answer.

@warpspeed: I'm not Ben, but we have some things in common and I should be able to help with this. ;)

How does the security work in relation to my.1password.com ? i.e. with the secret key and master password ?

I know this isn't quite what you're asking here, but I think it's worth mentioning that both the Secret Key and Master Password are used to encrypt your data, so both will also be needed to decrypt it. And neither are ever transmitted to us; all of the crypto happens locally on your device. That way the server only ever receives an encrypted blob, and if someone we're to steal that from us they wouldn't have the "keys" to decrypt it; only you do.

This, to me, (along with a keyboard logger/malware on a machine) seems like one of the weakest links.. i.e. a candidate for phishing the secure details from a user. my.1password.com seems like a prime target for a phishing attack.

Certainly people may try to trick you into signing into a fake "1password" site, but there are things you can do to protect yourself. You should always verify that you're actually at 1Password.com, that you have a secure connection to it, and that the security certificate is valid. We don't ever recommend entering your Master Password somewhere other than 1Password. And, better yet, you can use the native 1Password app on your device, which is also digitally signed by us. But you should never use a compromised machine. Neither 1Password nor anything else can protect you if you're accessing sensitive information on a device that is under someone else's control.

In relation to that, what mechanisms are in place to make users aware if questionable actions are taking place? For example are there email and/or push notifications to the mobile apps for authorisation and/or notification of new users or new devices attempting to login? i.e. say for example someone gets their secret key and master password phished. Will they know?

When a new device/browser is authorized by signing into your account, you'll receive an email notification with the approximate location and date/time. For example, "New 1Password sign-in from Chrome".

Is there a process to re-enroll data using a new secret key if it gets compromised? (master password aside)

Not quite what you're envisioning, but you can change your Master Password or generate a new Secret Key at any time from your account's Profile page:

https://start.1password.com/profile

I hope this helps. Be sure to let me know if you have any other questions! :)

warpspeed

Thanks @brenty

In regards to phishing and my.1password.com, it's not so much myself that I'm concerned with as my less technical family members. I work in the Internet industry so am fairly conscious and aware of such things.

Is it possible to disable vault access via my.1password.com (i.e. so that it's only available via an App, and online is only 'profile' management? if this isn't a feature, it might be a good one for the feature list.

AGAlumB

In regards to phishing and my.1password.com, it's not so much myself that I'm concerned with as my less technical family members. I work in the Internet industry so am fairly conscious and aware of such things.

@warpspeed: That makes sense. But that's less of a 1Password issue than it is an issue with phishing in general.

Is it possible to disable vault access via my.1password.com (i.e. so that it's only available via an App, and online is only 'profile' management? if this isn't a feature, it might be a good one for the feature list.

It isn't possible currently to disable access via the 1Password.com website, but it's something we can consider for the future. In the mean time, I think you'd have good results by getting them to setup the 1Password apps on their devices. Once they see how easy it is to do that, and to use 1Password natively, they're unlikely to want to bother with the website. The website is fairly limited since you can't scan a QR code to fill account credentials, or use something like Touch ID to unlock. So, just due to usability I'd be surprised if any of your family members would be willing to even try entering their account credentials manually. You raise some good points though. Just something to consider.

warpspeed

Thanks for the responses @brenty

I think an option to disable vault access online would be a good one.

Also, push notifications to iOS/Android Apps for new logins online and via apps, etc.

AGAlumB

@warpspeed: I think both of those would be nice additions. We'll see what we can do. :)