Accountability notification when accessing secure notes

Is there any sort of feature available to business accounts whereby you can specify that a particular vault requires extra accountability? I don't mean that there needs to be some sort of nuclear code system where 2 people need to unlock simultaneously but let's say this is a scenario:

  • Company has a team and a number of people have rights to use a company credit card for select purchases
  • That credit card is stored as a secure note in a specific shared vault
  • By accessing the secure note and asking for the secrets to be laid bare (via some sort of on-screen prompt) an email/notification goes out to the vault managers

This isn't supposed to prevent misuse of a secure note (in this example, you could already misuse credit card details by noting them down on paper when the card is handed to you) but provides an audit as well as a heads-up. If you get an alert email during business hours after you had an internal email to say, "I'm paying the licence fee renewal" or "I need to log in to the online banking" then you feel happy. If you get an alert email at 2am on a Saturday when one of your colleagues is out drinking then you can feel less happy!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Referrer: forum-search:unlock notification

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @connrs!

    Thank you for the suggestion! At the moment it does not look like this is possible, the closest entry in the Audit Log seems to be this one:

    Vault Items. Updating (creating, editing, archiving, and deleting items).

    So it would only log an action if it actually changes an item, not if the item is just viewed :(

  • connrs
    connrs
    Community Member

    Thanks for this @ag_ana. I've always been really pleased with all the auditing features (not least because it makes our infosec manager happy!)

    While it would be certainly cool if something like this existed I'm definitely a happy 1Password user managing my team's vaults. At least I now know it's not there so I'm not missing out.

    Kind regards,
    connrs.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the kind words @connrs :)

  • paulpharr
    paulpharr
    Community Member
    edited November 2021

    If you do a usage report on a vault, you will see what I believe is a reliable log of all users who have accessed each record and when. The absence of a logged access means that user has never seen the secret.

    It also reduces the effort in rotating credentials when someone is removed from a vault, because you know what they have seen.

    While this does not give you the real-time notification, you can go get a report at any time, which in many ways has advantages.

  • connrs
    connrs
    Community Member

    @paulpharr Yep, the usage report is great.

    However, I've found that opening a secure note via the Mac/Windows desktop apps and copy/pasting the details does not create an entry in the usage report. This differs from when you access a secure note on the web which triggers an immediate entry in the usage report.

    This means your suggestion is great for tracking things that do get logged when used via browser extension/desktop app (i.e. browser autofill) but reveals a minor weakness in the desktop apps because viewing a secure note via desktop app appears to be unmonitored.

  • paulpharr
    paulpharr
    Community Member

    The local apps often have cached encrypted copies of the credentials & will show them to you even if not connected to the internet, but in my experience all access from the desktop and mobile apps is fed back to 1password.com opportunistically - so after possibly some delay, the access is reliably reported

    I agree that there are edge cases where the user could actively trick the system, but for the purposes of rotating credentials after employees depart, I believe those are irrelevant

    1Password - can you shed light on this process of logging user access from the apps?

  • @connrs,

    That's absolutely correct that the 1Password apps don't report merely viewing an item as usage. For example, with a Login item, a user needs to reveal a concealed password, copy it, fill it using the 1Password extension, or edit it before usage will be triggered. Secure Notes do not contain any concealed fields and viewing this item or copying the available contents in the 1Password apps will not report it as usage, as you've found out. Viewing an item on 1Password.com without actually taking any further action, however, will count as usage and be reflected in the report.

    Item usage in the 1Password desktop and mobile apps is transmitted to our server, often delayed, at different intervals, as paulpharr correctly mentions, whereas usage on 1Password.com is reported immediately. This is why the relevant support article contains a unique bullet for Viewing an item on 1Password.com, to distinguish it from the desktop and mobile apps' usage behavior.

    At the time when the 1Password.com hosted service was introduced, each team was essentially working almost independently to develop each the apps, and this made it difficult to coordinate when new features had to be implemented on each platform, and I'm sure item usage was probably no different in that respect. With 1Password 8 for Windows, 1Password for Linux, and the other upcoming platform releases being developed with a common core and proper coordination, it's possible we may see some improvements in this area in the future.

This discussion has been closed.