Security for Terminated Employee (or Lost Device) Scenario

We are considering the use of 1Password for Business, and are trying to understand how to address the following scenario/concern relative to a terminated employee (can also apply to a lost device scenario). I have been using the personal and family editions for many years, so some of this is assuming that the Business edition works similar to those.

User has devices (work laptop with desktop app, personal mobile device with mobile app) that the user has been assigned or is using. The user of those devices has access to a shared vault of critical passwords which are rotated regularly (every 90 days let's say). The user has their personal and shared vaults sync'd to the device(s), so they have a local copy of the vault on the device. They also have their valid master password that allows them access to vaults.

Questions:
1) We now terminate the user's access (either terminating the employee, their device is lost/stolen so we disable, etc.) The first question is what happens with vault access when the user access is terminated (e.g. does the 1Password service push out a message disabling the user's access on the devices; or every time the user tries to access a 1Password for Business vault then the app on the device checks in with the server to see if the user should still have access; or some other alternative scenario I am not clear on)?

2) The next question is what if the device (laptop or phone) does not have network access? For example, take the following sequence of events:

  • user has 1Password installed on device (laptop or phone)
  • 1Password has been sync'd and has up to date copies of vaults (both personal and shared) on device
  • employee is terminated but before the account access is removed they turn off network access on the device
  • the terminated employee now has the device with a local copy of the vaults and knows the master password

Can they can access the local copy of the vaults until the device is reconnected to a network? If not, why?

Thanks.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @sunsailaway

    Great questions; thanks for asking.

    The first question is what happens with vault access when the user access is terminated (e.g. does the 1Password service push out a message disabling the user's access on the devices; or every time the user tries to access a 1Password for Business vault then the app on the device checks in with the server to see if the user should still have access; or some other alternative scenario I am not clear on)?

    The next time the user launches the 1Password app while connected to the internet the vaults will be removed from their device.

    The next question is what if the device (laptop or phone) does not have network access? For example, take the following sequence of events:

    • user has 1Password installed on device (laptop or phone)
    • 1Password has been sync'd and has up to date copies of vaults (both personal and shared) on device
    • employee is terminated but before the account access is removed they turn off network access on the device
    • the terminated employee now has the device with a local copy of the vaults and knows the master password
    • Can they can access the local copy of the vaults until the device is reconnected to a network? If not, why?

    Yes, they can. Even if they didn't take these steps, or e.g. the device is company owned and is collected at termination, it is possible that after their termination they know some or all of the secrets that were shared with them. The only way to truly revoke a secret (short of lobotomy) is to change it. I would suggest that if you feel this is a concern the passwords to critical systems should be changed upon the termination of anyone who had access to them, after revoking that person's access to 1Password.

    I hope that helps!

    Ben

This discussion has been closed.