What happens if a users access is revoked but offline access to a vault is active?

biasivo
biasivo
Community Member

Hi @all,

we're in the evaluation process for a password management solution for team of it-supporters (30Users). Looking at 1Password Business, I'm not sure how the offline access works in detail.

I.e. if a user has offline access to a shared vault on his desktop and his access is revoked by an admin, when will his access be locked, if his client never connects to the servers after the revoke procedure?

Is there a timeout that locks every access after a certain period of time a client hasn't connected to the servers?

Thanks in advance!
Vince


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:offline access

Comments

  • Lars
    Lars
    1Password Alumni
    edited August 2018

    Welcome to the forum, @biasivo! With any 1password.com account (not just 1Password Business), users have a local cache of their data. This is so people can continue to access their data during times when they don't have an internet connection. If you revoke someone's access to a given vault or even delete them entirely as a member of your team, the next time their copy of 1Password connects to the 1password.com servers, their local 1Password app will reflect these changes.

    If the user intentionally disables their internet connection before opening 1Password then they could theoretically continue to view/use their data indefinitely. This isn't something we can really change unless we went with an "online-only" model where all users had no data at all unless they had an active internet connection. In short, it would likely cause more problems for considerably more users than it would solve for others. We elected to do it this way partly for that reason (fewer issues for fewer users) but also on the notion that once you've shared a given set of passwords, Login items, etc with a given user...they're shared. The type of problem that might be possible from a "disgruntled" ex-employee a) knowing that access would be revoked at next sync and b) intentionally keeping him/herself offline to be able to continue using data isn't any different than that same employee making copies of the data before losing access. In either case, the solution is to change any passwords the user had access to. 1Password Business can help somewhat in this regard, allowing Admins and Owners to run reports showing what items a user has recently used...but to be as safe as possible, it's recommended to change the passwords for any data a departed user had access to.

  • biasivo
    biasivo
    Community Member

    Thank you @Lars! I was hoping for a way to set some sort of expiration date for offline caches so that we could choose to force a user to be online within a short time (e.g. 2 days or so).

    I understand that this would of course limit the offline funcionality and also it would not help us with (ex-)employees copying passwords before the access is revoked. The latter would at least be logged in the Audit/Log, wouldn‘t it?

    We have to deal with a couple of regulations that demand we make sure no ex-employee still has access to customers systems.

    Changing every single password is what we‘re doing today and we‘d love to find a smarter solution :-)

  • I understand that this would of course limit the offline funcionality and also it would not help us with (ex-)employees copying passwords before the access is revoked.

    It also seemingly wouldn't help in the two days (using your example) after they've separated from the company.

    Changing every single password is what we‘re doing today and we‘d love to find a smarter solution

    That likely is the smartest although admittedly time intensive solution. There is really no way to remove information from someone's head. Once they've had access to that information the only way to be sure of compliance is if that information is made no longer applicable.

    Ben

This discussion has been closed.