Too much power in the hands of a family manager

mauh
mauh
Community Member

Hey everyone,

I recently converted from Lastpass over here and found that the concept of the family manager is very different than in the red world. In the 1PW universe, it seems that the Family Manager is the dictator that can easily take away the digital identity and family members, I believe, are not even aware of the amount of power that they give to the Family Manager.

I strongly believe that it should not be so easy for the Family Manager to delete Member accounts and individual Vaults (they are not property of the family manager, but the individual). Instead, should just become independent accounts upon the removal from the family (of course with their own billing).

I say this as the Family Manager.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«13

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @mauh! Welcome to the forum!

    Thank you for the feedback!

    Instead, should just become independent accounts upon the removal from the family (of course with their own billing).

    This is an interesting suggestion. I am not sure how feasible this is technically, and also how it would look like from the family member's perspective (what if they don't want to subscribe?), but I can understand how the idea would be useful :+1:

  • mauh
    mauh
    Community Member

    Some critical questions:
    Does the family member know, that the family manager has the power to delete your account at any time?
    Should the family member be able to delete the complete individual vault of any person at any time what basically is the keybox to your whole digital identity? If I recall correctly there is no way for the individual to restore their data.

  • mauh
    mauh
    Community Member

    My Suggestion is to give people, whose account was deleted a 1-month trial and let them decide themselves/or at the very least back up their things.

  • ag_ana
    ag_ana
    1Password Alumni

    @mauh:

    If you have reason to believe that a family organizer might be malicious and delete your account without warning, we recommend using your own separate Individual account, so you are the only one who can manage it. The idea behind a Families account is that there should be a layer of trust among family members. I understand that might not always be the case, but if that's a risk in your case, using separate accounts is probably going to be the best choice.

  • BBBB
    BBBB
    Community Member

    I would agree with @mauth. Currently 1P doesn't trust the family organizer to have other users credentials or access to their private vaults. This is how it should be, they are organizers not root level admins.
    So if individual family members privacy is as important as 1P seems to imply via these policy's, then shouldn't their private vaults security to exist fall into the same category?

    All family members should be assured that their private vaults are theirs, with both the contents and existence secure. Domestic abuse and violence is a real thing. Don't let 1P be used as a potential tool against others.

  • @BBBB

    Domestic abuse and violence is a real thing. Don't let 1P be used as a potential tool against others.

    This is something we're aware of and have made some recent changes with this in mind.

    Currently 1P doesn't trust the family organizer to have other users credentials or access to their private vaults. This is how it should be, they are organizers not root level admins.
    So if individual family members privacy is as important as 1P seems to imply via these policy's, then shouldn't their private vaults security to exist fall into the same category?

    I think the organizer, as the person paying for the account, ultimately needs to have the ability to stop paying for it. But perhaps in that case we could have some option where a member could take their Personal vault and spin it off into a new individual membership. Something for our product managers to think about. :+1: Thanks!

    Ben

  • mauh
    mauh
    Community Member

    Thank you for the reply and the consideration by the product team. I understand that the customer should be able to stop paying for something he doesn't want to. As Family Manager (and also 1PW Business User) I get that. I would like you guys to also consider the needs of your Users (Family Members) and not just the Customers.

    There are quite a few issues with the current situation:

    Potential for Abuse, as pointed out by a poster above.

    Potential for Accidents, as written in another thread on this forum:
    https://discussions.agilebits.com/discussion/115348/what-can-i-do-with-my-deleted-account

    Potential for Breach, imagine a third party getting access to a Family Manager account. Ouch.

    In my opinion we are just waiting for a catastrophe to happen. As always in Cybersecurity, it is not about if - it is about when and how prepared the systems are. Although the error will be ultimately human, 1PW as of now is not doing enough from their end to mitigate.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the feedback @mauh!

    Potential for Breach, imagine a third party getting access to a Family Manager account. Ouch.

    I am curious about this though: isn't this an inherent risk for every manager account, in every service? For example, imagine that we made all the changes that you are suggesting, so that the family organizer cannot do anything anymore. Someone must be able to still delete the account or unsubscribe though, and that will certainly still be the family organizer (since they are the ones who created the account and subscribed in the first place, that permission should not be removed from them).

    So if a family organizer account gets compromised, the third party could always do damage by deleting the account altogether anyway, as an example. I would be interested to hear your thoughts on this, as to how what you are suggesting would protect against a third party accessing a family account. Did you have anything specific in mind?

  • mauh
    mauh
    Community Member

    Absolutely. The issue is that first of all, 1Password is not just any service, it is ultimately an identity provider for the internet (and beyond).

    About Trust:
    You said earlier that there should be an inherent trust in the family manager, and I get that. I am arguing that I shouldnt have to trust a family manager to that extent in the first place. Why am I able to wipe out a families members digital identity, just because I am the one that yields the credit card?

    My suggestion is what I have said from the start, protect individuals account instead of putting this responsibility with a family manager. I know that they are not your customers, just users. But anyway?

    About Consent:
    I have asked my significant other if she actually knew about the power I yield, and (unsurprisingly) she doesn’t. To make this actionable, I would propose to introduce a consent screen where a Family Member is informed about what he can and cannot do to their account. I would say that there certainly are situations, where it may be uncomfortable to give the father, husband, geeky brother (let’s be real - family managers are mostly men) this kind of power. This is easy to implement as well.

    About third party access: Youre doing a great job, but I think we all know that there is no perfect system. Don’t make me an all-wielding admin. Restrict me and keep everyone safer.

    For Context: I am saying all this as a Family Manager, that also manages a Company Business account. Maybe unsurprisingly, the experiences are pretty much the same.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the additional feedback @mauh, that's very useful! I wanted to understand your thoughts on third party access more, but I think I see what you mean. Restricting the power of a family organizer would not help you in that specific case (a family admin will always be able to delete the entire account), but we can certainly look at ways to limit its power when it comes to individual user account within the Families if we can :+1:

  • williakz
    williakz
    Community Member

    @mauh makes some very good points, IMO.

    An account's FO should be able to effect immediate freezing of all account data but should only be allowed initiate a REQUEST for deletion of all member data and account existence. Non-FO members would then be notified that deletion of all their private data has been requested and is pending. Should any, some, or all such members AGREE with and acknowledge the FO's deletion request, their private data would be deleted immediately as would their continued participation in the family account. Vaults shared between all or some members would require the approval of each of their members before deletion is performed, giving those members an opportunity to safeguard such data by moving it into their private vaults. Should any or some members DISAGREE with the FO's data/account deletion request, they would be given a time-limited option to open their own personal account at their own expense into which they could migrate their private data. Once the time limit expires, all vaults and data associated with the Family account would be deleted.

    This is only a general framework for protecting family members from precipitate action (intended or not) by one or more account FOs. I'm sure there are plenty of holes to be filled (and possibly some irreconcilable conflicts lurking in the details), but it's a start and is intended as food for thought.

  • Ben
    Ben
    edited September 2020

    That's an interesting thought @willakz. I'm not in a position to make any promises about what future changes we might make within this regard, but personally I very much like the idea of giving family members the opportunity to spin their data off into their own individual membership when a Family Organizer deletes the family membership. I think there are perhaps some pitfalls when it comes to parent-child (minor) relationships... but maybe that's an implementation detail.

    Ben

  • rpaulson
    rpaulson
    Community Member

    Hey everyone,

    I just finished reading the whole thread, and I agree with all aforementioned concerns. I'm currently testing a family membership and even though in this case I'm the one in control and other members have to trust me and even though in general I think I'm a trustworthy person, it's the only reason why a family membership is not really an option for me. I just don't want to have the power to delete other members accounts. Of course, as I'm paying the bill, I should be able to close the account and also remove individuals from the team, but IMO this shouldn't affect their private vaults, they should have the option to create their individual 1Password account or at least – if that's not an option for them – be able to export/download their private vaults.

    But I have an additional question. The support pages clearly state that members will lose their private vaults and access to shared vaults. But what about their local vaults, the one's they can sync with their other devices via WiFi? BTW, for me that's 1Password's best feature. Thanks so much for implementing it. Are their clients going to delete these Primary vaults as well as soon as they are informed by the server that they have been removed from the family account? If that's not the case, I could keep the family membership and just tell members to use local vaults only.

    Thanks

    Remove a family member’s account permanently

    After you remove a family member’s account, they can’t sign in to 1Password, which means:

    • They lose all the items in their Private vault. Because the items weren’t shared with any other family members, no one will be able to access them.
    • They lose access to all shared items, including those in the Shared vault. This won’t affect other family members’ access to shared items."
  • rpaulson
    rpaulson
    Community Member

    Hey everyone,

    I just finished reading the whole thread, and I agree with all aforementioned concerns. I'm currently testing a family membership and even though in this case I'm the one in control and other members have to trust me and even though in general I think I'm a trustworthy person, it's the only reason why a family membership is not really an option for me. I just don't want to have the power to delete other members accounts. Of course, as I'm paying the bill, I should be able to close the account and also remove individuals from the team, but IMO this shouldn't affect their private vaults, they should have the option to create their individual 1Password account or at least – if that's not an option for them – be able to export/download their private vaults.

    But I have an additional question. The support pages clearly state that members will lose their private vaults and access to shared vaults. But what about their local vaults, the one's they can sync with their other devices via WiFi? BTW, for me that's 1Password's best feature. Thanks so much for implementing it. Are their clients going to delete these Primary vaults as well as soon as they are informed by the server that they have been removed from the family account? If that's not the case, I could keep the family membership and just tell members to use local vaults only.

    Thanks

    Remove a family member’s account permanently

    After you remove a family member’s account, they can’t sign in to 1Password, which means:

    • They lose all the items in their Private vault. Because the items weren’t shared with any other family members, no one will be able to access them.
    • They lose access to all shared items, including those in the Shared vault. This won’t affect other family members’ access to shared items."
  • Hi @rpaulson

    but IMO this shouldn't affect their private vaults, they should have the option to create their individual 1Password account or at least – if that's not an option for them – be able to export/download their private vaults.

    So they certainly can export their Private vaults, however this would have to be done prior to the account / membership being deleted. I agree that it would be great to have an option for family members to spin off into their own memberships. I don't have any update to share on that, but I will continue to advocate for it whenever opportunity arrises.

    But what about their local vaults

    We do not recommend this, and support is limited for such configurations, but in theory this should be possible and would work around the situation. One huge pitfall is that every family member will end up with at least two independent Master Passwords they have to remember. They can be set to the same password, but changing one will not affect the other. This has a tendency to lead to data loss on its own, so that is something to consider when contemplating urging your family in this direction.

    Ben

  • MONKi1P
    MONKi1P
    Community Member

    Removing family members rest;ting in deletion of their account is not very user friendly. I've used both LastPass and Bitwarden and neither do this. They simple remove that user and they have their own account still intact. This also makes it easy than for them to start their own family account and branch off. Are any changes been planned in how 1Password handles this?

  • ag_tommy
    edited January 2021

    @MONKi1P

    Hopefully, we can bring something like this to our users in the future. I am not sure of how complex this would be to implement. I'll share your enthusiasm for seeing this feature with the team.

  • rpaulson
    rpaulson
    Community Member

    Hey everyone,

    I just finished reading the whole thread, and I agree with all aforementioned concerns. I'm currently testing a family membership and even though in this case I'm the one in control and other members have to trust me and even though in general I think I'm a trustworthy person, it's the only reason why a family membership is not really an option for me. I just don't want to have the power to delete other members accounts. Of course, as I'm paying the bill, I should be able to close the account and also remove individuals from the team, but IMO this shouldn't affect their private vaults, they should have the option to create their individual 1Password account or at least – if that's not an option for them – be able to export/download their private vaults.

    But I have an additional question. The support pages clearly state that members will lose their private vaults and access to shared vaults. But what about their local vaults, the one's they can sync with their other devices via WiFi? BTW, for me that's 1Password's best feature. Thanks so much for implementing it. Are their clients going to delete these Primary vaults as well as soon as they are informed by the server that they have been removed from the family account? If that's not the case, I could keep the family membership and just tell members to use local vaults only.

    Thanks

    Remove a family member’s account permanently

    After you remove a family member’s account, they can’t sign in to 1Password, which means:

    • They lose all the items in their Private vault. Because the items weren’t shared with any other family members, no one will be able to access them.
    • They lose access to all shared items, including those in the Shared vault. This won’t affect other family members’ access to shared items."
  • ag_ana
    ag_ana
    1Password Alumni

    @rpaulson:

    But what about their local vaults, the one's they can sync with their other devices via WiFi? BTW, for me that's 1Password's best feature. Thanks so much for implementing it. Are their clients going to delete these Primary vaults as well as soon as they are informed by the server that they have been removed from the family account?

    No, vaults outside of the 1Password account you are deleting will not be touched. So vaults stored locally and synced with WiFi, or vaults stored in other 1Password accounts will remain available :+1:

  • MONKi1P
    MONKi1P
    Community Member
    edited January 2021

    @ag_ana So could a member technically move their stuff from the cloud vault into a local vault, then be removed, then signup on their own, move the stuff from their local vault into the their personal cloud vault?

    What @BBBB mentioned regarding domestic abuse is a very real problem! I don't want to go into too many details here and I don't know enough what constitutes domestic abuse but my wife was on a family plan under her dad years ago and while she was traveling abroad he cut her off both financially and with 1Password! She lost access to everything while strangled on a different continent. Heartbreaking when you rely on having access to important financial information and other documents and then realizing that you are really screwed. So since then she wouldn't touch 1Password with a ten foot pole and I of course compromised and we have used LastPass over the years. Now enough time has passed that she is again open to the idea of using it but for now I only moved myself over because she wants to see me using it first before she agrees to anything.

  • ag_ana
    ag_ana
    1Password Alumni

    @MONKi1P:

    So could a member technically move their stuff from the cloud vault into a local vault, then be removed, then signup on their own, move the stuff from their local vault into the their personal cloud vault?

    Yes, they could. A member always have the option to have multiple accounts, it is not necessary to only use the Families one, so they can certainly also have their own Individual account :+1:

  • MONKi1P
    MONKi1P
    Community Member

    @ag_ana sure but all that is saying is that people should pay for two accounts because of 1Password's limitation (passing on the problem to the user) and this is not any option for those that are old enough to use a password manager but not old enough to have their own credit card.

    Can we all agree that this needs to change for everyone's safety & convenience :)

  • ag_ana
    ag_ana
    1Password Alumni

    @MONKi1P:

    Correct, it would require a separate account. You asked if this was "technically" possible, and that certainly is :)

    Having said this, we really appreciate the feedback! The team can certainly continue to discuss this to try and find the best way to move forward :+1:

  • MONKi1P
    MONKi1P
    Community Member

    @ag_ana right so for an adult who is leaving the family because they are now grown-up or need to start their own family sharing, they can migrate all their data including attachments by moving all their stuff into a local vault and then from there into a new online vault. This is the first time that migrating account would then be more seamless than using the built in export function. Love this possibly!

  • ag_ana
    ag_ana
    1Password Alumni

    @MONKi1P:

    It can actually be even quicker than that: since 1Password supports multiple accounts, you could also move items directly from the old account to the new one, without even having to through a local vault ;)

    How to use multiple accounts

    With more than one account added to the same 1Password app, you can simply move items from one vault to the other:

    Move and copy items

  • MONKi1P
    MONKi1P
    Community Member

    :)

  • ag_ana
    ag_ana
    1Password Alumni

    :+1:

  • pdxtony314
    pdxtony314
    Community Member

    I've been using Lastpass for years and now that they're going to start charging (which I understand) I'm exploring all the options - mainly just paying for Lastpass Family, Bitwarden and 1Password. I really like the 1P interface the best but both of the other two competitors make it such that if a family member leaves for any reason their "vault" stays with them and they don't lose it. The fact that with 1P if a family member gets deleted they lose their vault - it might be a dealbreaker for me and my family. Is this changing anytime soon?

  • MONKi1P
    MONKi1P
    Community Member

    @pdxtony314 Hopefully but there is a workaround that you can use. They signup for another 1Password account and move all their items over from their family account to their new private account. It will preserve everything including attachments. Oh and I came from LastPass recently and I’m very happy with 1Password. What ended pushing me to leave and overcoming the password manager inertia was a weeks long support waiting game with LastPass support via email, then by phone, and back to emails just to inform me that some other internal department is investigating my bug. Now they have stopped emailing without having offered any resolution or admitting they cannot fix the bug. This has happened to me years ago with them and I was more patient with them then. This time I reviewed deeply most alternatives and besides a few sticking points, which all have, 1Password is the best option.

This discussion has been closed.