Security of Family Accounts
Hi,
I'm considering signing up for a Families account but am concerned about the security of the Account Recovery feature. It seems like account recovery is a feature that's often successfully exploited across web accounts and apps to gain unauthorized control, and I want to understand any vulnerabilities however remote with its implementation in 1Password Families.
My reading of the recovery procedure for an account is that when it's initiated an email is sent to the owner of the account to initiate the recovery. I assume that the email can only go to the email address of record for the account, and that the organizer can't change the email address of record for an account, otherwise the organizer could take over an account, right? It seems that if someone intercepted that email or took over the email account then they could take over the 1Password account, right?
It seems that to implement the account recovery feature each Master Password must be stored somewhere, while with an individual account they're not. If so then that seems like an inherently less secure design than an individual account which never stores the Master Password anywhere. Where are Master Passwords stored? How is access to them controlled? Might this allow 1Password (or a crazy employee) unauthorized access an account?
I understand that the benefit of account recovery and other Family account features is significant and may well be worth a minor reduction in security. I'm not criticizing any design decisions, I just want to understand the trade-offs that have been made.
Thanks,
Mike
1Password Version: 7.2.581
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: 1Password cloud
Comments
-
My reading of the recovery procedure for an account is that when it's initiated an email is sent to the owner of the account to initiate the recovery. I assume that the email can only go to the email address of record for the account, and that the organizer can't change the email address of record for an account, otherwise the organizer could take over an account, right? It seems that if someone intercepted that email or took over the email account then they could take over the 1Password account, right?
@MikeA01730: That's all correct.
It seems that to implement the account recovery feature each Master Password must be stored somewhere, while with an individual account they're not. If so then that seems like an inherently less secure design than an individual account which never stores the Master Password anywhere. Where are Master Passwords stored? How is access to them controlled? Might this allow 1Password (or a crazy employee) unauthorized access an account?
That's all incorrect. The Master Password is never stored. The Master Password and Secret Key are never even transmitted to us. They are used to generate a cryptographic secret on the local device which can then be verified by the server so that the server never needs to actually know the account credentials. Individual accounts, families, and teams all have exactly this same security. The way sharing works is that the equivalent of "public keys" are exchanged between family/team members during account creation, to facilitate decrypting any shared data later on. Individual accounts still have all of this, but since there is no one to exchange the keys with, there is no way to share (except with oneself...) I'd encourage you to check out the security white paper, as it goes into a lot of details about the (many) keys and how they interact:
I understand that the benefit of account recovery and other Family account features is significant and may well be worth a minor reduction in security. I'm not criticizing any design decisions, I just want to understand the trade-offs that have been made.
The risk you need to be aware of is that email is not a secure channel. So we always recommend initiating recovery requests "in person". Otherwise someone malicious could trick you into putting someone's account into recovery mode, and potentially intercept the email to do it themselves. I hope this helps. Be sure to let me know if you have any other questions! :)
0 -
Brenty,
Thanks for taking the time to put together a detailed and complete response.
Regards,
Mike0 -
Hey, thanks for asking, and for reading it! Here if you need anything else. :chuffed:
0 -
Brenty,
One other related question. If there are multiple people each with their own individual 1Password accounts can they be merged into a single Families account? If so how is that done?
Also, same question the other way. Can a Families account be split into multiple individual accounts? If that can be done then what options would be available re the disposition of each Shared Vault?
Thanks,
Mike0 -
It isn't possible to merge or split accounts. Anything like that would need to be done by the customer(s) manually.
Ben
0 -
Ben,
By manually do you mean moving items between accounts as described at https://support.1password.com/move-copy-items/? I'd login to a family account and an individual account at the same time and move items between the two as needed. Shouldn't that let me accomplish what I want? Are there any problems or limitations I should be aware of?
Thanks,
Mike0 -
@MikeA01730: Exactly. It's easiest to do in the desktop apps, but all that is needed is to be signed into both accounts and then move the items from one to another. If the person has multiple vaults, creating those in the new account first will make it easy -- just a matter of copying data from Personal* vault in individual account to Private* vault in family account, and so on with any others. :)
*These serve the same function; we just didn't think it made sense to name the vault in an individual account "Private" since everything is there. ;)
0