Unlocking Multiple Vaults

BlueViper
BlueViper
Community Member
edited October 2023 in Lounge

View Approved Answer

I have more than one account (Work and Personal) and I definitely liked the convenience that before v8 I could use one password to unlock both vaults, but I admit I always thought it'd make more sense to have to unlock each one individually on Windows and so I (believe it or not) actually like that's how it works now (though I'd love if iOS kept FaceID to unlock everything once it's updated).

But from a usability perspective, I'd really appreciate some sort of option to let us unlock more than one vault at a time before the screen closes. If it's already there somehow and I missed it, I apologize. But right now when I login my process looks something like this: I open a browser and use the 1Password extension to unlock, I put in the password for one of my vaults, it unlocks, then since I used the browser the window closes entirely, so I have to open up the app, then I have to go up to the menu and find my other vault and unlock it from there. Granted, if I use the app directly to unlock the window doesn't close, but I have to go find my other vault in the menu first which is still less than ideal.


1Password Version: 8.2.0-56.BETA
Extension Version: 2.0.5 (Beta)
OS Version: Windows 10 21H1

«13

Comments

  • sissing
    sissing
    Community Member

    I'm experiencing the same issue, it is currently so much work to unlock the second vault that it starts to really annoy me. I would like to see the option unlock the second (or more) vault directly after unlocking the first one.

  • Hi folks! Thanks for reaching out about this situation.

    though I'd love if iOS kept FaceID to unlock everything once it's updated

    I can't speak to any specifics about iOS at this point, but I can say that on Mac and Windows unlocking via biometrics (Touch ID, Apple Watch, Windows Hello) does unlock all added accounts, as it stands.

    But from a usability perspective, I'd really appreciate some sort of option to let us unlock more than one vault at a time before the screen closes

    With what is available today the way to do that would be with Windows Hello, for 1Password for Windows.

    Use Windows Hello to unlock 1Password on your Windows PC

    I'm experiencing the same issue, it is currently so much work to unlock the second vault that it starts to really annoy me. I would like to see the option unlock the second (or more) vault directly after unlocking the first one.

    Another possibility here is to use the same account password for each 1Password account. This is what we recommend in our guide, below. Obviously password reuse is a major issue that we're combatting, but it is a different situation with your 1Password accounts as they are still protected by unique Secret Keys.

    How to use multiple accounts

    Ben

  • kkrauth
    kkrauth
    Community Member

    Stumbled here as I was experiencing the same behavior. I could swear that on 1Password7 both of my accounts (personal & work) would get unlocked when I would unlock 1Password app. Since upgrading to 1Password8, only my personal account gets unlocked when unlocking the app, and I have to unlock the work account separately. It has nothing to do with biometrics as far as I can see. Has the default behavior changed or am I missing a setting somewhere that can make this happen?

  • Hi @kkrauth

    Yes, the behavior changed between v7 and v8. If you'd like to unlock multiple accounts we'd recommend using the same account password for those accounts (they will still have unique Secret Keys), or using biometrics.

    Ben

  • codeknight
    codeknight
    Community Member

    This is a pain. I just updated to Windows 11, which installed 1Password 8 (presumably I was on 7 before) and I ended up having to Google why my vaults don't all unlock at once anymore. It'd be better to have this as a preference option to unlock all vaults at once with one password as it worked in 1P7

  • Hey @codeknight:

    As Ben mentioned above, if you'd like to unlock multiple accounts at the same time, our recommendation would be to use the same account password across all of your 1Password accounts or enabling Windows Hello to unlock 1Password.

    Jack

  • Petie
    Petie
    Community Member

    Has there been any consideration for a meet in the middle option? I have two accounts that I would like to keep configured with their current (different) passwords and while I appreciate the added security of the current setup, I feel like there is still a secure option for auto-unlocking additional vaults. I'm not sure how, UI-wise, you'd go about doing this but what about if the password for a second account was stored in 1Password for your "primary" vault (the one you're unlocking first)? If present, 1Password could use that entry to automatically unlock the second (third, fourth, etc.) account and if not, it falls back to the current v8 behavior. This seems like it would be a secure approach, assuming there's no technical hurdle for implementing it, though I'm certainly not an expert and may have overlooked something here.

  • Hi @Petie, thank you for the suggestion! I have passed it on to the relevant folks here. Thanks for taking the time to offer it. I'll be interested to follow any further discussion on the idea.

    ref: IDEA-I-866

  • dman80
    dman80
    Community Member

    Just adding to this, but using the same password across accounts is very insecure and actually not recommended by your own software. This feels like a step back and should have been replaced with another method of linking accounts together instead of a major interface change. I work with MSPs who have dozens of passwords to remember now.

  • PeterG_1P
    edited May 2022

    Hi @dman80, we appreciate your feedback here.

    Just adding to this, but using the same password across accounts is very insecure and actually not recommended by your own software.

    We actually made this change for the sake of improving security in 1Password, based on the premise that no account should open without its account password.

    One of our resident security gurus, @jpgoldberg, explains the thinking behind this in-depth in this forum post.

    Roustem also discusses a little further down that thread that the implications of using a single password for two of your 1Password accounts are different from other login scenarios, in which a website or service stores either your password or a hash of it.

    I hope that's helpful. We recognize that not everyone will agree with the current approach, and while we're certainly open to making improvements, I do want to let you know that we've thought a lot about the security considerations that attend it.

    I work with MSPs who have dozens of passwords to remember now.

    I'd be happy to learn more about this so we can either provide immediate support or start drafting solutions internally. To make sure I'm understanding correctly: this is a situation in which an MSP has a separate 1Password account for each client (or client organization)?

  • nle
    nle
    Community Member

    Can't you just add a toggle/dropdown list – letting you unlock vault Y together with vault X? And let the user take the security risk?

  • @nle

    Thanks for the suggestion. I appreciate it.

  • eegore
    eegore
    Community Member

    I think @Petie 's suggestion is a great one. Please implement it. That's what I'm currently doing anyway -- manually, slowly, annoyingly -- it feels like 3password instead of 1password (I have 3 vaults I use regularly). I have the passwords for my 2 2ndary vaults stored in my primary 1password vault, so then after opening the primary, I have to remember to unlock the other 2 by copying / pasting the password from the primary one. If I don't remember, my searches / autocompletions / etc... all don't work properly -- and it sometimes takes time to remember that I just need to unlock the other vault. Having it automatically unlock the 2ndary vaults would be awesome, and wouldn't lower security, since anyone gaining access to my primary vault is getting the passwords / secrets to the other vaults anyway. I suspect most of us are in the same boat, since 1password has been so good at storing stuff securely, we do use it as the main place for storing all this. At best not doing it automatically is security through obscurity because someone would have to look through the vault to find the other secret keys / passwords for the other vaults.

  • valor
    valor
    Community Member

    Totally agree with @Pete and @eegore
    I fully understand the move to unlocking vaults individually from a security perspective (I was surprised it ever worked the way it did) but now it's a step back in usability and breaks the workflow as I have to open 1Password app every time and auth the alternate account.

    I would love to see an option in the app to select the alternate account(s) to unlock automatically, and/or choose the Login item that contains the master password from account A that corresponds to account B,C and validate it.

    While this is technically similar to the advice "use the same master password for both accounts" I have a work account that I need to keep separate on a separate work laptop. If it were to get infected and credentials compromised, I wouldn't have to change my personal one as well, just update the login item in my personal account's vault

  • Thank you @valor, we do appreciate the feedback. I have filed a vote accordingly - and one has already been filed for you as well, @eegore. 👍

  • BlueViper
    BlueViper
    Community Member

    I forgot all about this thread and only just came back to it now after seeing a change with the Chrome add-in and saw my notifications here.

    Just to add some commentary:

    Windows Hello doesn't seem to be an option the first time the app opens. Right now I can lock my 1Password app and go to unlock it and use my Windows Hello PIN to unlock both of my vaults. This is great, and I love that. But when I open it the first time in the morning when I start work or when I boot up a personal device, I don't have the option for Windows Hello which is why this is a concern for me. If I could use Windows Hello at first open too that'd be alright.

    I'd rather not share my same account password with more than one vault. One significant point of a password manager is to limit password re-use by making it easy to manage multiple passwords. For that to be an encouraged solution for the 1Password account is at least a little disappointing. I get that they have the secret keys protecting them and they'd have to have access to a device where I set it up at already. But still, I'd prefer to keep my account passwords separate. Better safe than sorry.

    I like that I have to enter both passwords still that's just safe, I just want it to be easier to do at first launch every day. An option to remain on the unlock page to unlock a second vault or something. Having to unlock one vault, then go to the menu and find my other vault to unlock it when I just came from the unlock page just doesn't sit great. It also leads me to forgetting to unlock another vault when I need to access something quickly.

    This wasn't too big of a deal but now all of a sudden I noticed my browser extensions just switched to needing to be unlocked independently of my desktop app. I use two browsers on a frequent basis so at least as of this morning I'm now unlocking my vaults 3 times each.

    Maybe the extension thing is a bug/fluke/something broke and I need to fix it. I'm still looking at that. But it's at least some insight into the issue.

    Not a huge issue or critical, I'm not trying to make a mountain out of a mole hill, just trying to provide perspective on the way I use it to help guide any potential future improvements to the app.

  • KQ012j3
    KQ012j3
    Community Member

    Like many, I came here being stumped after upgrading to version 8. After using the new version for only a day, I've already found myself frustrated with the multiple login workflow enough times that I'm wishing I had stayed with version 7!

    I work as a freelancer and I have a personal account (which I use for work and private stuff), then I also have an account from an agency I work with. I use both accounts multiple times a day and the workflow was a lot smoother when I just needed to login once. The characterisation of 2password or 3password as mentioned above, feels quite apt. I was happy with just having to remember 1 password when using the app, rather than 1 password per account.

    I see the security aspect of single sign-on to multiple accounts, but allowing the user to link accounts would be a great help, something like a toggle "if logging into account A, also open account B".

  • Jack.P_1P
    edited June 2022

    Hi @BlueViper:

    I just wanted to follow up separately on this portion:

    This wasn't too big of a deal but now all of a sudden I noticed my browser extensions just switched to needing to be unlocked independently of my desktop app. I use two browsers on a frequent basis so at least as of this morning I'm now unlocking my vaults 3 times each.
    Maybe the extension thing is a bug/fluke/something broke and I need to fix it. I'm still looking at that. But it's at least some insight into the issue.

    If this only started occurring earlier this morning, there is an issue with our signing certificate that is affecting 1Password 7 and 8 for Windows, resulting in some customers having trouble with updating or installing 1Password as well as the browser integration. We're working on getting this resolved, and appreciate your patience. In the meantime, please know that this is not a security issue and 1Password is safe to use.

    If you're having trouble with 1Password, the best workaround is to use 1Password in your browser without integrating with 1Password for Windows: right-click the 1Password icon in your browser's toolbar, choose Settings, and turn off the "Integrate with 1Password app" option.

    @KQ012j3: Thanks for your feedback on this.

    Jack

  • BlueViper
    BlueViper
    Community Member

    Thanks @Jack.P_1P I did see something about that in another thread after I posted my response and I probably should've updated it. But I appreciate you confirming it all the same.

  • PeterG_1P
    edited June 2022

    Thanks, @BlueViper. For anyone who is coming new to this part of the discussion:

    That certificate issue has been resolved in the following 1Password versions:

    1Password 8

    Production: 8.7.2-2
    Beta: 8.8.0-141
    Nightly: 8.8.0.140

    and also in 1Password 7 version 7.9.830.

    If anyone is still experiencing that issue, you should be able to update to one of these versions (or newer) and the issue will resolve. You can also then re-enable your 1Password extension's "Integrate with 1Password app" option and things will go back to normal. We've had near-universal success in resolving this issue through the updates listed above, and so highly recommend giving that a try if you've encountered this problem.

    And if it that doesn't resolve your issue, feel free to contact us at support+windows@1Password.com and we'll spring into action. 👍

  • michalkulakowski
    michalkulakowski
    Community Member

    @PeterG_1P Let me argue the perceived security improvement caused by change you have introduced is theoretical only while user experience degradation is real. Here is my usecase:

    • I am using two vaults on my laptop and phone: corporate and family account
    • I am spending 90% of time working on a mac laptop connected to desktop monitor and lid closed. Biometrics is not available to me most of a time
    • Right now when I reach a password prompt on a website I see a little 1Password icon in the form field which I can use to fill the password. This already degrades user experience in 1pas. What was a keyboard shortcut of CMD\ is now a click with a mouse.
    • Now clicking on it prompts me to fill the password, but it will only do it once.
    • If I do not guess in which vault the password actually is, I do not get the second chance. Then I have to open the 1Password app and unlock the other account manually.
    • Taking this into account having same password on all vaults is the only way to go. And it is functionally equivalent with previous solution.

    If you ask me for opinion the idea of having password at the vault level is flawed in the first place. With the password I am proving my identity not vault ownership. Once you have decided to give up on the main vault idea, you should have taken it consequently to the end and move password to the account level.

  • cepheus
    cepheus
    Community Member

    I also want to throw my hat in for bringing this back in 1P8.

    This was a noticeable downgrade for me and the situation I run into most frequently is one where I can't make use of Windows Hello or Touch ID. It doesn't make sense security-wise that a single credential is deemed fine to unlock multiple vaults if it's an externally authenticated method (especially since changing my vault passwords is a lot easier than changing my fingerprints!).

    Additionally, for me and many others where I do not memorise the passwords of my other accounts, it creates a new security attack surface as the only way to log into the other accounts is to manually copy/paste the password out of the primary vault. Sharing a password would eliminate this, but like many people I use an extremely long password to maximise security, and doing so would not eliminate the need to enter it multiple times when unlocking the vaults.

  • PeterG_1P
    edited July 2022

    Thank you for the feedback, folks. I'm passing on to the appropriate decision-makers, and while I can't promise anything in particular at this point, it does help us to understand your workflow, the kinds of situations you're facing, and how you'd like us to improve the app. I'll keep advocating for your use case!

    @cepheus: how would you feel about a "daisy-chain" solution, in which, for example, you do something like this?

    1. Log into first 1Password account with a password you've memorized
    2. This gives you access to a vault in which you have a password (or passwords) for your other accounts saved
    3. You click that item (or we put some other UI solution in place) and the subsequent 1Password accounts unlock

    Would that suit your needs?

  • cepheus
    cepheus
    Community Member

    I think something along those lines would at least be an improvement on the current state of affairs in 1Password 8, for me personally.

  • pfriesch
    pfriesch
    Community Member

    I have pretty much the same use case as michalkulakowski and this is blocking me from upgrading to 1Password 8.

  • DanP110
    DanP110
    Community Member

    I also have several vaults in play with auto locking... I appreciate that each vault must be unlocked and would like to keep separate passwords, but find the 1P8 upgrade to have made my typical workflows difficult. Like many others (@Petie, etc.) I keep the passwords for several of those vaults in my main personal vault.

    I would like to upvote a way to designate those passwords for opening "secondary" vaults automatically after my personal vault is opened. Separate passwords, separate logins, but on an existing machine we're back to unlocking with a single biometric or password unlock. By having some kind of flag or option we could also selectively keep certain vaults closed without independent verification. In other words, have some kind of flag so that it isn't automatic that it searches for vault passwords in your primary vault.

    Thank you!

  • 7Horizon
    7Horizon
    Community Member

    Please guys stop killing such important features like this one, or at least give us the choice. A lot of users have two different vaults, like family and office. And as I often work with an external monitor and the lid closed, biometrical is not an option. This means I need to unlock both vaults a lot during the day, which leads to setting the autolock timer much higher to not kill productivity. And this is another security risk. So why would you just kill such a feature instead of adding a toggle in the settings for it, I really don't understand such decisions. I instantly downgraded back to Version 7, please fix this.

  • meow
    meow
    Community Member

    I can't speak to any specifics about iOS at this point, but I can say that on Mac and Windows unlocking via biometrics (Touch ID, Apple Watch, Windows Hello) does unlock all added accounts, as it stands.

    I haven't yet experienced Apple Watch or Touch ID unlocking both of my vaults on a Mac mini (M1) or MacBook Pro (M1 Pro). I understand separate passwords to unlock separate vaults but the biometrics option not working is pushing me back to v7.

  • aiba
    aiba
    Community Member

    I was also disappointed to discover, after upgrading to 1Password 8, that I now have to unlock multiple vaults many times per day. It's very annoying. There should be a way to unlock all vaults at once.

  • micahbf
    micahbf
    Community Member

    Count me in as another long-time 1Password user who is very disappointed and annoyed at the need to unlock vaults individually.

    @PeterG_1P I like the daisy-chaining idea, except I think it shouldn't require any additional clicks, ever. It should just be configure it once and always unlock everything with a single action, like it used to be.

This discussion has been closed.