Access after death or serious injury

I have been searching for updated articles or information about how I might give my family access to 1Password after my death or if I should become incapacitated... the most recent I've found is still twelve months old.

Given my age and health it is a very serious issue and given that Google, LastPass and Dashlane all have a solution, I thought I would ask the question again.

Other than prising our my emergency kit and handing the whole lot over is there a secure way that 1Password will grant access to nominated people after my death or if I become incapable of using the system. It feels like I may have found a reason that forces me to move on to an alternate product if this hasn't/isn't being addressed.

Ian


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member

    Hi @sailingbikeruk

    I'd be happy to discuss this further. You posted this in the Business and Teams category, but it sounds like your question is about 1Password Families. Would it be alright if I move this thread over to that category?

    Nothing has really changed in this regard. 1Password is built on encryption, and only you have access to your encryption keys. For someone else to get them, you have to give them to that person. To build something like you're suggesting we would need to hold those keys in escrow. One of our core principals here is that we never have access to your keys so that we never have access to your data. We want you to be protected from us, or a breach of our servers, as much as you would from anyone else.

    I certainly understand the desire to have a feature like this, but our recommendations remain unchanged. The best I could recommend, and what I personally do, is store a physical copy of my Emergency Kit in a secure location. If something happens to me my family will be able to retrieve that Emergency Kit and access my data. Until then, the key to that location is kept with me, and nobody else has access.

    We don't disagree with the concept. What we take issue with is what the implementation would require: in order to give your keys to someone else, we would have to have them. That goes against one of our core principals. As such I still believe this is a problem best solved in a low tech way.

    I understand if you feel differently, and a such choose to use an offering that doesn't stand on that principal. We all have our own priorities, and perhaps there is a conflict between ours and yours.

    Ben

  • BY all means move to the the correct forum, apologies I use both families and teams (Home and Work).

    It is an interesting point about holding the keys. I assume from your comment that you are suggesting LastPass and Dashlane have the keys and can therefore access customer vaults, if they did not hold them then they could not give access to relatives or trusted emails addresses.

    I might check that detail before moving, we certainly arenot in conflict on that point and if that is what is happening I wonder how much "access" the companies might have to personal information.

    Thanks

    Ian

  • BenBen AWS Team

    Team Member

    @sailingbikeruk

    BY all means move to the the correct forum, apologies I use both families and teams (Home and Work).

    No apologies necessary. I just want to make sure that anyone else looking for this sort of information is able to find it as easily as possible. Generally businesses have other options available (such as taking control of the employee's email address and then performing recovery), so this is less of a concern there than it is with families.

    It is an interesting point about holding the keys. I assume from your comment that you are suggesting LastPass and Dashlane have the keys and can therefore access customer vaults, if they did not hold them then they could not give access to relatives or trusted emails addresses.

    Admittedly I have not done an in-depth study of either of those systems, so I can't say that for sure, but that is what I had assumed. As far as I'm aware they do not provide the same level of documentation that we do about how / where / when keys are created / stored / used.

    I did a brief scan of LastPass's documentation on their Emergency Access feature and this two paragraph document was all I could find:
    https://support.logmeininc.com/lastpass/help/how-is-emergency-access-secure
    It does seem to imply they are doing better than I initially assumed, but there are a lot of details I'd like to know before I personally would use the feature.

    For what it's worth, our documentation about our security model is available here:
    https://1pw.ca/whitepaper

    We have some blank spots we still need to fill in as well, but as you can see what we do offer is fairly in-depth. We make every effort to be transparent in this regard.

    I might check that detail before moving, we certainly arenot in conflict on that point and if that is what is happening I wonder how much "access" the companies might have to personal information.

    Having as little access to customer information as possible, including not being able to access the data customers are storing inside of 1Password at all, is one of our top goals. It is something we take very seriously.

    I'd say it is a reasonable question to ask, either through researching their documentation or by asking their team. At the end of the day the important thing is that you're comfortable with the level of security that is being offered.

    Ben

  • robrob Agile Customer Care

    Team Member

    Hi, @sailingbikeruk. I'm sorry for the confusion on this point.

    It's true that the easiest way to implement a feature like this is for us to have the keys, but that would not be responsible because not only could we then access your data but we could be tricked into giving access to anyone who convinces us that they are the Emergency Contact.

    However, as Ben noticed in LastPass's documentation, their implementation does not require that they know the keys, just like in 1Password you can share a vault with a family member without giving us the keys first. If we were to implement the same feature it would look very much like the implementation documented by LastPass. Unfortunately we've not made any changes there yet, but it is a feature we'd like to introduce eventually.

    Until that point, our recommendation of printing the Emergency Kit stands. It's also worth noting that even if we added an emergency access feature, its success would depend on the other person being able to access their own account. With a printed Emergency Kit in something like a safety deposit box, you don't have the same dependency. That's not to say it's superior, but there are different pros and cons to each approach.

    I hope that helps. In your original post you were looking for something "other than printing my Emergency Kit". Can you explain why that isn't an acceptable solution for your case?

  • I am currently using LastPass but looking to move to 1Password. The emergency access feature in LastPass is fairly simple, and to your point, does not require them to have access to any of my keys. If I was to pass away or be otherwise incapacitated, my spouse can go to LastPass and request access to my account (She would have to submit my email address). LastPass then notifies me of the request, and I have X days to deny it, otherwise it is automatically granted. So as long as I am paying attention to my notifications on my phone, I would know if someone was trying to gain access. And if I am gone, well, my spouse would only have t wait the X number of days to get access.

    I'd love to see something similar in 1Password. To the question of "why don't you just print the emergency kit form?": Master passwords change, 2 factor token may be lost (in the case of an accident or just unknown to the person trying to get access), or if it is in a safe deposit box and the person cannot access it in a timely manner.

  • BenBen AWS Team

    Team Member

    Thanks @timdalec. The idea is definitely worthy of more thought. To clarify though, LastPass's feature has to be set up in advance of the situation. Your spouse wouldn't be able to go to LastPass after the fact and request Emergency Access if you hadn't already set them up with it. From their guide:

    The following is a general overview of the steps involved when using Emergency Access:

    1. LastPass User 1 adds Emergency Access User (who has an active LastPass account) and specifies a Wait Time.
    2. Emergency Access User accepts the invitation.
    3. In the event of an emergency, Emergency Access User requests access to the LastPass User 1's account.
    4. If LastPass User 1 does not decline the access request (or revoke access) within the Wait Time period, then Emergency Access User is granted access to the account (displayed as a folder in their own Vault and labeled as LastPass User 1's account email address).

    Ben

  • @Ben, that is correct, but the major difference here is that LastPass has the feature and 1Password has nothing...

    We have been discussing a similar challenge with 1Password over in this thread. Instead of your loved ones losing access. You could lose access to 1Password while you are traveling if you don’t keep a copy of the secret key on your person.

    https://discussions.agilebits.com/discussion/82240/how-to-handle-security-while-traveling-and-potentially-losing-devices/p2

  • BenBen AWS Team

    Team Member

    that is correct, but the major difference here is that LastPass has the feature and 1Password has nothing...

    I understand. I was replying to a specific point to try and clarify something that I felt may have been misinterpreted.

    We have been discussing a similar challenge with 1Password over in this thread. Instead of your loved ones losing access. You could lose access to 1Password while you are traveling if you don’t keep a copy of the secret key on your person.

    I think these are separate issues. Both are valid concerns, but separate issues.

    Ben

  • Hi everyone,

    I am looking for some similar solution, that in the event of something happening to me, that my partner will gain access to my passwords. Something that he can request and perhaps after waiting a specified delay will send him a key that only he can decrypt on his account to access mine.

    Something that I can set-up in advance so that I don't have to worry that if something happens to me, he can not worry about finding all the details he would need in order to access everything in the interim if I'm ill, or close things down properly in the event of my death.

    Not a very happy thing to think about, but I think it would be a great feature to add to 1password. I'm still evaluating the 30 day trial, and this is one feature I'm very interested in. I like everything about the client and security so far, so would like to see if this feature could be implemented somehow?

  • BenBen AWS Team

    Team Member

    Hi @jcx

    Right now our recommendation would be to print and fill out an Emergency Kit that could be made available to your chosen individual under such circumstances.

    Get to know your Emergency Kit

    It may be possible to offer a different solution in the future, and we'll continue to evaluate how we might do that without compromising on our core values of respecting customer privacy and not having the ability to access the data folks store in 1Password. I couldn't make any promises in that regard at this stage though. The Emergency Kit is likely to be the best solution, at least for the near future.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file