Options to recover account of incapacitated individual in Family mode?

DavidAnson
DavidAnson
Community Member

I have read https://support.1password.com/recovery/ and skimmed the PDF. It seems to me that recovering the account of a family member requires sending an email to their account and having them create a new master password. That is fine if they are able to receive and respond to email, but a significant concern is if they are incapacitated for some reason. How does one recover a spouse’s information if they are unable to respond to email?

One idea is to get a copy of their secret key/master password ahead of time, but that compromises the spouse’s privacy as that info could be used covertly. Another idea is to store all info in shared vaults and toggle permission, but this suffers from the same problem. A recovery mode that informs the recovered party if/when used seems the best compromise. Is something like this available?

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Zaka7
    Zaka7
    Community Member

    My personal situation is I have a family account and 2 family organisers (including me)

    I have a recovery vault set up which contains the email log in details of both organisers. Gmail will automatically alert you to new sign in of your account so this is the alert mechanism you mention above covered, as you could then take action.

    Recovery could then be started and completed using this information and wallah.

    I guess you do need an element of trust which is what is assumed in the family account, if you do not have this then perhaps a teams account would be better? It costs a little more, but has different recovery mechanisms and permissions I believe.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Greetings @DavidAnson,

    We don't yet have something for this scenario but it is something that I know concerns several members of 1Password, especially those who focus on security. Whatever we do it has to protect the individual against potential misuse which is delicate and tricky.

    All I can think to suggest for the moment is if a person has a will they could leave a hard copy of an emergency kit PDF or similar. That way it should not be easy to access unless the situation calls for it. It isn't ideal and I can only hope we can design an elegant and secure system for these scenarios.

  • DavidAnson
    DavidAnson
    Community Member

    I think there is an easy way you can address our concerns with a tiny change to the current system: allow people to configure multiple recovery email addresses.

    Spouses could then cross-list their own and each other’s email addresses as recovery emails. If one of them becomes incapacitated, the other can initiate recovery and will receive the recovery email at their own address where they can act on it. If one tries to abuse the recovery process to snoop, the recovery email to the target address will alert them of the attempt. The addition of a (maybe configurable) delay here would ensure the target has time to detect and reject the snooping attempt.

    Would you be open to a change like this?

    PS - Zaka’s suggestion is one I considered, and is better than a will which has relatively little security.

  • @DavidAnson

    It may be possible to set up a rule in your email to automatically forward a copy of any recovery emails to another address, essentially achieving the same outcome. Considering the possible implications of explicitly supporting such a thing within 1Password itself I imagine our security team would need to take a hard look at any solution we might include from our end.

    Ben

  • DavidAnson
    DavidAnson
    Community Member
    edited August 2019

    You already trust the user to provide a single recovery email address. That could be any address they want, maybe A or maybe B. Doesn’t matter, you’ll allow either. Allowing that same user to provide two email addresses at the same time (here, A and B ) does not seem to significantly alter the threat model. The user is still expected to provide email addresses they trust, and should still be expected to verify each of them when setting things up. As you point out above, the user may already be setting up an auto-forward rule, so this is (indirectly) something people may be doing today. But making this change to the product allows you to support it formally and makes it more accessible to less sophisticated customers, many of whom seem to already be looking to enable the scenario.

  • Thanks for taking the time to share your thoughts. :) Something for our security team to consider.

    Ben

This discussion has been closed.