Family & shared vault

learnfpga
learnfpga
Community Member

Hi, Currently I use lastpass and I am on a trial period of 1password family plan and testing it out to see if it works out better for me. I have couple of questions as I am evaluating the product.

  1. In addition to my account, I have added two family members (kids) to the account. I have create two shared vaults for them and only I as an admin can share the accounts that are relevant to respective kid. Both of them have their own secret key and private vaults. I don't want them to create accounts or passwords on their own and only use respective shared vaults. Is there a way to block their private vaults or limit their access to only shared vaults?
  2. Do I need to print and save their secret keys ? The idea is that all the passwords are in my private vault and they only get access to respective shared vault. So their accounts and private vaults are not important and I want to avoid having to save 3 separate secret keys securely.
  3. In lastpass I have a master password and 2FA app and I have settings such that it asks for authenticator every time I login. How does 1passoword introduce 2FA. I don't see an option in settings to have app based 2FA required for each login. Its more cumbersome to type master password every time so I was thinking of making the "Lock after system idle" time to 999. But lack of an option to ask for app based authentication (using Authy etc.) is making me uncomfortable.

Thanks
Lf


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • @learnfpga

    1. No, each family member has access to a Private vault.
    2. Yes. They will need that Secret Key to reinstall the apps if needed. If it's not saved, they would need to go through the recovery process if it was forgotten. I have all of my kids Secret Keys stored within 1Password.
    3. Only the Master Password encrypts your data. Only it can decrypt the data so you can access it. 2FA protects you by prohibiting linking of new devices to your account.
  • To add to what Tommy said:

    In lastpass I have a master password and 2FA app and I have settings such that it asks for authenticator every time I login.

    Are you able to access your data offline, or do you have to be online? The reason we don't offer such an option is because 1Password works offline, meaning the encrypted data is already downloaded to your device. Unless your LastPass setup is online-only, I'd suggest this is more of a placebo than anything. The data would already be on your device and an attacker could attack it without 2FA by simply not using the LastPass app to make the attack. They'd copy the raw encrypted data from the device and then attempt to brute force the decryption password directly.

    Ben

  • learnfpga
    learnfpga
    Community Member

    @ag_tommy - So you are suggesting to save their secret keys in my private vault and only print my private vault secret key at a secure location. Correct?

  • I have their keys saved in my Private vault, yes. Basically because they are too young 11-12 to understand the responsibility. I actually have all of our Secret keys stored within 1Password for ease of access. Like when my 24 year old calls and asks dad can you give my wife the Secret Key so she can install 1Password on her new phone? I was like really?! But knowing my son, that was him through and through. :lol:

    All of our keys are stored outside of 1Password in a floor safe and at a relatives home should we ever need access in a difficult situation. Like if for some reason I was unable to access my account and or estate planning needs.

  • learnfpga
    learnfpga
    Community Member

    The reason I am bringing this up is that recently, lastpass reported that an unknown device tried to log in to my account. The thing that protected me was an authenticator as a 2FA. In 1password if I lose a device and someone has access to my master password, they would still need the authenticator app to login.

    On all my 2FA type login's I make it mandatory to require the app even though this is my private device. So I feel having the that 2nd factor helps. May not be in all scenarios but in certain scenarios.

    Unless I am thinking of this completely incorrectly.

  • [Deleted User]
    [Deleted User]
    Community Member
    edited July 2021

    @learnfpga 2FA protects your data on the server. It prevents an attacker who somehow knows your master password and secret key from downloading a copy of your database. It cannot protect your data on your device because your device already has a copy of your data. Someone who knows your master password and has access to your device can just copy your database to their own device and open it with their own decryption software.
    In effect, entering the 2FA code makes the new device one of your trusted devices. I think of it as a chain of trust. You use the device with the authenticator app to authorise adding the new device to your chain of trusted devices. Some apps allow you to require re-entry of the 2FA code to unlock, but this doesn't add to security unless the 2FA is involved in encryption of the database or the database is deleted everytime the app is locked.
    If you are concerned about this risk: keep your device physically secure, set-up individual user accounts with strong passwords, set your device to lock after periods of inactivity and, where available, enable storage encryption.

  • ag_ana
    ag_ana
    1Password Alumni

    @learnfpga:

    rootzero summarized the situation perfectly: 2FA is not involved with the encryption process, so it would not protect in the scenario you are thinking about. This documentation page from our security team also has some more details on this:

    Authentication and encryption in the 1Password security model

This discussion has been closed.