Suggestion to improve Travel Mode

thedean
thedean
Community Member

I love the new Travel mode feature, but I have a suggestion on how to improve your implementation of Travel Mode.

Currently, "Not Safe for Travel" is marked at the vault level. When Travel Mode is turned on, all the vaults marked as "Not Safe for Travel" are removed from client devices. I have found this design to be less than ideal. Specifically, I use Related Items a lot. For example, my credit card item and the bank login item for that credit card are both cross related. Unfortunately, if I try to move those 2 items to a "Not Safe for Travel" vault (which I believe would be a fairly common scenario), I am given an error message because items with links cannot be moved across vaults. My only choice is to remove the links, move them to the "Not Safe for Travel" vault, and then re-link them.

I believe a superior design for the Travel Mode feature would be to allow users to mark items "Not Safe for Travel" at the item level rather than the vault level. This could be implemented very easily via a "Not Safe for Travel" (possibly reserved) tag. This design would allow users to keep all their items in a single vault if they choose to (my preference) or spread them across multiple vaults, and since tags are searchable across vaults, you could easily identify which items to remove from the local client when Travel Mode is turned on. This alternative design would give users more granularity and not require them to create a separate vault for "Not Safe for Travel" items.

In addition, the migration to this new design would be rather straight forward, as implementation of the new release could easily take all the vaults which are marked as "Not Safe for Travel" and add a "Not Safe for Travel" tag to each item in that vault. This way, users could still keep all "Not Safe for Travel" items in a separate vault, or intermix them with items in other vaults, or just keep everything in a single vault.

I hope this makes sense to you, and hope you would consider a re-design of the Travel Mode feature to provide more granularity and easier management of Travel Mode for your users.

Thanks,
Dean


1Password Version: 7.8.8
Extension Version: 2.1.7
OS Version: macOS 11.5.2

Comments

  • Hi @thedean,

    Thanks for asking about this! I've asked our Security team to chime in here, as they'd be best equipped to speak on this.

    Jack

  • Lars
    Lars
    1Password Alumni

    @thedean - thanks for the question/suggestion! It's a good idea from a conceptual standpoint, and I can see how and why that would make your use-case easier. Unfortunately, it's just not the way 1Password's server is configured, and changing it would be far from trivial, as it would involve not just an adjustment to Travel Mode, but a redesign of the entire architecture of the 1Password data structure.

    1password.com is vault-based at its core, for the most part. The idea for Travel Mode is that All Vaults view is always available to you, so you can split your items between one or more vaults you use that contain nothing but items that would be "travel safe," in your opinion, and one or more vaults you would NOT want to travel with. In such a scenario, there would be no moving items (and thereby losing "related" links in the process); the items would be located initially in either travel-safe or not-travel-safe vaults, and any links between items would not be at risk of being lost.

  • thedean
    thedean
    Community Member
    edited October 2021

    Lars:

    Thank you for the quick reply. Your comment that "there would be no moving items" because "the items would be located initially in either travel-safe or not-travel-safe vaults" would only apply to new customers who are setting up their vaults for the first time.

    Existing customers did not have the luxury of perfect foresight to organize their vaults in this way. And as best as I can tell, there are to this day, no getting started guides that recommend a best practice to organize vaults in this manner.

    At a very minimum, your documentation team should be advising clients when they set up their vaults that they should be considering segregating not-safe-for travel items, in case they might want to turn on Travel Mode in the future.

    Dean

  • Lars
    Lars
    1Password Alumni

    @thedean - thanks, I'll pass along that suggestion to the documentation team! :chuffed:

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I think you, @thedean, are correct that having travel mode exclusions based on tags (or similar) would provide more flexibility for users and avoid the very real problems you describe. But as Lars correctly said, "1password.com is vault-based at its core." Synching is built around vaults, as is encryption. Travel Mode actually leverages some of our underlying synching technology and provides a simple mechanism that leaves absolutely no trace on the device itself of whether one is using Travel Mode.

    We certainly couldn't do it using our tag technology (but that doesn't mean that it couldn't be done in a way that will look like tags to the user) as server side we know very little about which of your tags are which. And we don't want the client to have a discoverable state that it is in travel mode, so the client needs to think that it is just getting vaults and items in the usual way. Having the server tell clients that certain items in a vault are "deleted" without actually deleting them feels like the kind of thing that one bad synching operation could lead to real data loss.

    Sorry for being so negative about the prospects of all of this. Your question got me thinking about various ways to achieve what you are very reasonably after. And so I am brainstorming ideas but then shooting them down. I can't think of a way to do it without a complete overhaul of how syncing works. Perhaps somebody will come up with an idea that would allow your request to get on a realistic roadmap, but I at the moment it looks like there is no way to get there from here,

  • thedean
    thedean
    Community Member
    edited October 2021

    @jpgoldberg...

    Thank you for your thoughtful words... and for understanding of what I was attempting to accomplish to further empower your users with more flexibility. If it's technically not feasible, then so be it.

    The larger point I was trying to make to Lars is that I believe you have an obligation to your users to suggest to them best practices about how to get the most out of your software. I completely understand that prior to the development of Travel Mode, you could not anticipate (nor could your users) how Travel Mode would be implemented.

    However, now that Travel Mode is available and fully understood, I believe you have an obligation to educate your new users that they should be thinking about creating a separate vault for sensitive items at account creation. To my knowledge their is still no documentation available from 1Password which encourages users to do so. Such documentation could prevent new users from having to jump through the hoops I did to un-link, move and re-link items when they discover at a later time they want to use Travel Mode. A little bit of guidance from you up front could prevent a lot of unnecessary work and customer frustration down the road.

    Please don't get me wrong. I am not trying to be critical of 1Password. I have previously used Dashlane and LastPass, and I am now a 1Password user because I truly believe it is a superior product. I make suggestions like this (and another I recently posted about using Shamir's Secret Sharing to enable account recovery in individual accounts similar to the way you do it Family & Business accounts) because I believe it can be an even better product. And I will continue to push you to make it the best it can be because I benefit and the whole user base benefits when you do so.

    Thanks again for your thoughtful response.
    Dean

  • Lars
    Lars
    1Password Alumni

    To my knowledge their is still no documentation available from 1Password which encourages users to do so.

    @thedean - there is indeed. It's the Travel Mode documentation, the "To mark vaults as safe for travel" section of which reads:

    If you don’t already have a vault you want to travel with, you can create a vault and move items to it.

    It's true, we don't place instructions about how to do this - or why you might want to do it - front and center in a way that all users must be aware of in order to continue setting up 1Password, but that is because not everyone will want to use this feature. For those people, such instructions would be simply an annoyance. For the present, anyway, the burden of making every new user read or at least dismiss a pop-up or similar regarding Travel Mode that requires their attention is greater than the burden of the comparatively few new users who do not initially consider Travel Mode as part of their setup, then create vaults with multiple related links between them, and finally return to Travel Mode only to wish they'd done it differently from the start.

    If we can figure out a way to simply streamline the actual process, along the lines of what you mentioned (and jpgoldberg was trying to come up with ideas for), we'd love to work those in.

  • thedean
    thedean
    Community Member
    edited October 2021

    @Lars and @jpgoldberg:

    I am not suggesting that you burden customers with reading things they are not interested in, but rather make documentation available to those who want it, about best practices when setting up their account.

    For example, you have an article entitled "Getting Started with 1Password" (https://support.1password.com/explore/get-started). It is fairly process driven around 3 simple points: 1) Sign up, 2) Get the app, and 3) Fill in your passwords. There could be a link in that document to another article that is not process driven, but more consultative around best practices. It could include things like 1) what to think about when setting up your vaults, 2) Subject areas you might want to set up tags for, 3) How to use Watchtower to identify and turn on 2FA, etc.

    Having this as a separate article linked from within the "Getting Started" article would make it discoverable for new users, but not obtrusive for those who are not interested. A good example of how this can be done can be found in this New York Times article: https://www.nytimes.com/wirecutter/guides/how-to-use-1password

    If the New York Times can do this, you can probably do even better.

    I hope this helps.

    Dean

  • BesieDai
    BesieDai
    Community Member
    edited November 2021

    I am also interested in figuring out the best practices which leverage 1Password’s intended functionality, particularly with Travel Mode. So I’m trying to square some of the things I found in the blog post and support doc for Travel mode against some of the things I’ve read in a lot of these forum posts. And since I know 1Password team members like to address things piece-by-piece, I’m going to break it down that way. :)

    1. It was suggested to copy items to the new “travel” vault, but then All Vaults view has duplicates which are not synced; is it actually bad practice to make copies like this, and instead keep them permanently segregated?

    A HowToGeek article recommended, for existing 1P users who are just now encountering Travel Mode, to copy items to a new vault and mark that as safe for travel. But now there are multiple copies of items if I’m looking at “All Vaults” and making any edits to one of them (like a password change) will cause them to grow out-of-sync, like a software fork.

    Lars told us “[t]he idea for Travel Mode is that All Vaults view is always available to you, so you can split your items between one or more vaults you use that contain nothing but items that would be ‘travel safe’, in your opinion, and one or more vaults you would NOT want to travel with.”

    So I gather that we—new and longtime 1P users alike—should place the only copy of an item in whichever vault is appropriate, and under normal, non-traveling circumstances, rely on the All Vaults view to hide the distinction.

    Side note: I don't know what the intention was for the copy-to-another-vault feature, but it was at this moment I was hoping for a Unix symlink/Windows shortcut feature across vaults. Prior to this, I only ever copied an item with the intent of changing its details, not re-using it elsewhere.

    1. One can either create a small vault of “travel-safe items”, or a small vault of “non-travel-safe items”, depending on the individual circumstances of course, but could you share the team’s intent?

    I am interpreting Lars’s comment and the HowToGeek article to be recommending that it’s easier to hand-pick the items that will travel with you across borders, and exclude everything else. However, in other forum posts I was picking up hints that we should instead create a small vault of extremely sensitive “not-safe-for-travel” items, in order to remove them from our devices.

    As I created my safe-for-travel vault, I ended up with a ratio of about 1:10 of things I think I might need on a trip vs. what I wouldn’t, but I really would never know for sure ahead of time! Maybe I get somewhere and think damn, I really would like to sign into my Blockbuster account…wish I had added it to the travel vault. 🤷‍♂️

    Seems like a more manageable approach is to identify the few things that I would absolutely not want anyone to have a chance at getting their hands on (e.g. customer info, SSH keys for work servers, etc.), and placing them in the only vault that is not marked safe for travel. Adding rando stuff from then on like the hottest new web3 service would, by default, be travel-safe because am I hurt by border interrogators seeing my latest failed hello-world DApp? Just my pride, I suppose.

    1. Is the name of my vault going to bite me?

    jpgoldberg, among others, said we don’t want the client to have a discoverable state that it is in travel mode. Am I defeating this by calling my safe-for-travel vault “Travel vault”? And if I go with the opposite strategy of making everything safe except for the exclusions, then I am guessing (without actually doing the experiment with my devices yet) that the “NoTravel” vault wouldn't even show up and “Personal” is the one I am taking on the road…problem solved?

    1. Was the intent just for border crossings?

    I, like at least one other customer in these forums, was not aware that border crossings could present such a risk, that someone might force me to unlock my device in front of them. So I first assumed that Travel Mode was for the entire duration of your trip, where the greatest risk is a device being lost or stolen while it’s powered on (I think at least in iOS—but definitely in macOS—a powered-off device is incredibly secure, but upon first login the disk is decrypted and remains that way even in standby and when the screen is locked).

    But there is a recurring suggestion here that Travel Mode is meant for the border crossing and airport, but that you would turn it off when you reach your destination. Is this only if the destination is relatively less hostile than the border? Are there anecdotes or data that point to borders as being significantly more risky to users of password managers than being inside a country?

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited November 2021

    Side note: I don't know what the intention was for the copy-to-another-vault feature, but it was at this moment I was hoping for a Unix symlink/Windows shortcut feature across vaults. Prior to this, I only ever copied an item with the intent of changing its details, not re-using it elsewhere.

    That would be really nice, but it would have to be like a symlink and not like a hard link. It can only be encrypted with one vault key, and it can only sync in one vault. I think that the solution here is for us to expand what can be done with "related items."

    Was the intent just for border crossings?

    Mostly, yes. But ...

    I, like at least one other customer in these forums, was not aware that border crossings could present such a risk, that someone might force me to unlock my device in front of them. So I first assumed that Travel Mode was for the entire duration of your trip, where the greatest risk is a device being lost or stolen while it’s powered on

    while that is not the driving intent, it is certainly a reasonable use of it. But it is really designed around complying with compulsory unlocks.

    Either way, your point that our guidance on this is in need of improvement is abundantly clear. Travel Mode was introduced at a time when the political and social discourse may have helped frame people's thinking about what it was all about. The sorts of border searches that Travel Mode is to help you safely comply with were in the news and being widely discussed in security, privacy, and civil rights circles. But our documentation has not caught up with people coming to be aware of Travel Mode without that context.

  • BesieDai
    BesieDai
    Community Member

    Thanks @jpgoldberg! That is helpful.

  • On behalf of Jeffrey, you are very welcome @BesieDai! :smile:

This discussion has been closed.