1Password Secret Keys

We are working with some new clients and we would like to position 1Password, but we have found that that the security model becomes quickly unmanageable for businesses with non-technical people. Keeping track of two-factor tokens and rotating passwords is, by itself, a bit of a challenge for most. Compounding it with a secret key that employees have to store safely somewhere implies that those employees have a safe area to store and secure sensitive papers. This model really limits the usefulness of this product to individuals and technically-apt teams.

How do recommend working with clients like in situations like this?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Teams

Comments

  • BenBen AWS Team

    Team Member

    Hi @wavesound

    1Password greatly decreases the overall cognitive load of remembering and securely storing credentials because you only have one set of credentials you have to keep track of: the ones for 1Password. This is vastly better than having to remember passwords for each system that requires one. The Secret Key is only needed infrequently: when signing in from a new device. It is stored in the 1Password application after entering it once, and can be retrieved from there. So while it is ideal to have it printed and stored in a physically safe location this is not absolutely mandatory. It is even less critical particularly in large organizations that should have multiple people that can assist with recovery (if the Secret Key is needed and unavailable for some reason).

    Really all that you have to remember is your email address and Master Password. As such I'm not sure I understand the question? Could you elaborate? Where/when are people running into trouble? Is it when adding 1Password to new devices?

    Please let me know.

    Ben

  • Hi @Ben

    You don't have to sell me on the use-case of a password manager. My concern is more about the administrative overhead with managing random Secret Keys for users.

    "Really all that you have to remember is your email address and Master Password."

    We're not really running into issues with technically-savvy users, but rather with SMBs that tend to outsource IT. These users do not keep track of their secret keys meaning that if their work laptop crashes, etc. we have to reset the key. For SMBs this is headache that users themselves cannot address without help from IT. With competing products, a trip to the store for a new device and an app install is all that is required. However, with 1Password for business, you actually need to keep track of...two passwords and managing those secret keys as an administrator would be an unacceptable hassle for my clients. I was wondering if you had any suggestions there.

  • brentybrenty

    Team Member

    @wavesound: That helps a bit, but I think we may still not be on the same page here. I'm not sure how you're proposing 1Password could help with people losing their account credentials. We simply can't have them. As you mentioned, in a team/business setting, an admin can help the user go through account recovery. I guess, from experience using account recovery, I'm not sure how it's a hassle. I mean, I guess it is compared to not having to do recovery...but the only solution to that problem is users not locking themselves out of their accounts in the first place. And we're not in a position to prevent that. :blush:

  • @brenty,

    Understood, however, when the account recovery process is completed, you need to go and re-enter the new account key on all of their devices. Some of those devices are not immediately accessible.

  • ag_anaag_ana

    Team Member

    @wavesound: that's correct, but it's not mandatory to reauthenticate immediately on every device. If some of those devices are not immediately accessible, the user can update the login credentials on the devices they have already, and update them on the other devices at a later time. Hopefully recovery will also not be required that often :)

  • brentybrenty

    Team Member

    @wavesound: You're correct that you'd need to reauthenticate in order to sync any new changes, but any app where you've already signed in will already have the data locally and is quite usable, even without a connection. Again, you'd just need to sign in to be able to connect going forward.

  • Right, but I think you're missing the point that we'd have to have them drag all of their devices in to get reset. It sounds what we find to be an excessive burden for our customers is an acceptable tradeoff.

    We will have to recommend another product for this affected client since they will not accept this approach since its too "geeky" as far as they are concerned.

  • brentybrenty

    Team Member
    edited July 22

    we'd have to have them drag all of their devices in to get reset

    @wavesound: Why? If they're not using them anyway (at home?), it doesn't matter. To be clear, the account recovery process isn't done per-device; it's done for the account.

    We will have to recommend another product for this affected client since they will not accept this approach since its too "geeky" as far as they are concerned.

    That's entirely up to you of course, but I do think you're missing the point with the Secret Key. I'd encourage you to see my comments here, and let's keep the conversation going in one place as opposed to all over, as that can cause confusion and slows down response time for everyone -- including you. Thanks!

  • @brenty,

    I'm keeping the conversation separate since I'm exploring two challenges we are facing with the Secret Key model.

    I'm familiar with the account recovery model because I just tested on my own 1Password.com account and all of my devices were immediately disconnected and I had to go to each one and re-enter the "Secret Key." That's the burden to which I am referring and I think you may not quite understand. Once they get home and have to re-configure their devices as if they were signing into 1Password for the first time and we have to walk them through that process for each device.

    As I said, I'm aware of the Secret Key and its benefits, however, we are finding that, it works well for small technical teams, but otherwise, it does not scale well beyond those environments into the hands of typical business consumers.

  • brentybrenty

    Team Member

    Again, the 1Password apps can still be used without entering the Secret Key immediately everywhere. Believe me, I use recovery a lot, both in testing and with my family. :lol:

    I'm not really following you when you keep saying things like "it does not scale". If it's something you'd be willing to actually discuss in detail via email, as opposed to here in a public forum, I'd encourage you to reach out to [email protected] so we can get a better sense of what in particular you have in mind. :)

  • BenBen AWS Team

    Team Member

    I think a reasonable solution to this problem for such clients would be to encourage their users to print their Emergency Kit and keep it in their filing cabinet at their desk or in their personnel file. I'd certainly be open to hearing ideas, of how we could potentially improve this process, but getting rid of the Secret Key or somehow making it optional isn't going to be something we can entertain.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file