Feature Request: Two vaults for guest accounts for me as freelancer

oschoenborn
oschoenborn
Community Member
edited February 2023 in Business and Teams

I use guest accounts to segregate passwords for each of my contracts. All guest accounts are for me, not for my customers, because there is no other way to achieve my goal with 1password without paying through my nose. The limitation I'm facing with that method (which I describe in detail below) is that some passwords are common to several contracts, eg my github account which I use across all my contracts. So right now I have to copy that password to each guest account vault, and if I change the password or MFA, I have to manually propagate that change to each guest account. If you could allow a second vault to be shared with each contract, then I could have a vault for "passwords common to several contracts" and share that vault with appropriate guest accounts (which, again, are for me, not the customers).

You'll understand how I use guest accounts for me with the following details:

  1. Say I have contract A with customer A, and contract B with customer B.
  2. Then I create a guest account A for myself for contract A, and another guest account B for myself for contract B. If a client gives me an email address in their system (typical), I use that, otherwise I create an email address for contract A in my google business account.
  3. Moreover, I use a separate computer for each contract (some customers provide me with a laptop, otherwise I create a separate virtual machine specific to the contract). So I have computer A for contract A, computer B for contract B. Each computer has its own web browser, own software, and own 1password account (via the guest feature).
  4. When I work on contract A, I power up machine A, login to 1password using guest account A; and similarly for when I work on contract B...
  5. When a contract is over, I have no need for the associated guest account so I can destroy it.
  6. I typically have 1-3 contracts at once, sometimes I have more with some on standby etc.

The main advantage of this setup is that I can promise customers that the work I do for them is completely separated from all my other work. Also, if a computer were to get compromised, the blast radius would be minimal, just one client; imagine if used master account on each machine, then any one machine gets compromised then the hacker could potentially access corporate data across all my clients!

Allowing guest accounts to have access to a second vault would solve my problem.

I must say though, an alternate mechanism to allow access to different vaults on different machines would be way better. In order for this to have the same level of security as I get with the above method, it would be necessary for this feature to disallow selecting which vaults a device has access to; this would only be allowed from the master account.

The process could be:

  1. I add a "device" A in the master account
  2. I give the device A a name (say "contract A"), perhaps even a MAC address (this would be nice but not essential)
  3. Once the device has been added to master account, there is a security key available for it (generated by 1password -- possibly same format as the security key you currently require)
  4. I log into machine A: I use same master password but I use the security key for device A instead of my primary security key
  5. I see only the vaults that are associated with that device, and I cannot change which vaults visible without going into the master account

I realize that the primary security key is used in decrypting the password DB, but I'm sure there's a safe approach that you can figure out. Eg one software I use, called "sops", allows you to specify multiple AWS KMS keys to decrypt a file, and the software will try each one, thus mitigating the risk that you can't decrypt a local file because the AWS region that has the KMS key is down! This is not the exact same problem, but the point is there is almost for sure a way.


1Password Version: Business
Extension Version: Not Provided
OS Version: Windows, Mac
Browser:_ Chrome

Comments

  • Hello @oschoenborn

    Thanks for asking about accessing multiple vaults with a guest account, and for sharing your use case for 1Password. I think I understand what you are aiming to accomplish, and see why that may be difficult with just guest accounts. It occurs to me that using team member accounts instead of guest accounts may be a good way to maintain your current workflow while also being able to access more than one vault. I know pricing may be a concern, so I had a few follow up questions to determine if we have a plan that will be better fit for you:

    • Are you using 1Password by yourself, or with other people? If you are using it with other people, approximately how many people are in your team? 1-10, 11-20, 21 or more?
    • Are you using 1Password business or 1Password teams?
    • If you are using 1Password business, are there any business only features which you rely on? If it's helpful, you can see comparison between both plans on our Pricing for teams & businesses web page.

    If you'd prefer not to discuss this on our community forum where your response is publicly viewable, send an email to support@1password.com with your reply and include a link to this community post.

    I'll be on the lookout out for your reply.

    Thank you,

  • oschoenborn
    oschoenborn
    Community Member

    Thanks @ScottS1P I sent am email as you suggested

  • ScottS1P
    edited February 2023

    Hey @oschoenborn, I've got your email and am replying now.

    ref: Zendesk-110473

This discussion has been closed.