Questions regarding Emergency Kit sharing in a family account, also Emergency Kits and yubikey

My family has a family account. We are setting up things on 1Password so that, in an emergency, we can access each other’s important accounts. But I’m not sure if we are doing it in the best way or not, so a few questions:

  • Is it safe to upload each other’s Emergency Kits to a shared vault? One of our members has already done this for his Emergency Kit, but I’m concerned that, if any one of our computers gets hacked, this would open up our entire family account to that hacker. Is this a valid concern? Is there a better practice for sharing Emergency Kits or otherwise allowing emergency access to family members?

  • If a someone has my Emergency Kit, but they do not have access to my yubikey which is configured for 2-factor authentication on my account, will they be able to access my account? Could they use my Emergency Kit to turn off 2-factor authentication on my account and then log in without my yubikey?

Thanks very much for any assistance!
GBoomer


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member

    Hi @GBoomer

    Is it safe to upload each other’s Emergency Kits to a shared vault? One of our members has already done this for his Emergency Kit, but I’m concerned that, if any one of our computers gets hacked, this would open up our entire family account to that hacker. Is this a valid concern? Is there a better practice for sharing Emergency Kits or otherwise allowing emergency access to family members?

    There is certainly some risk to doing this that doesn't exist if you don't do it. You'd have to weigh that risk. We generally recommend printing Emergency Kits and storing them in physically safe locations.

    If a someone has my Emergency Kit, but they do not have access to my yubikey which is configured for 2-factor authentication on my account, will they be able to access my account? Could they use my Emergency Kit to turn off 2-factor authentication on my account and then log in without my yubikey?

    The Emergency Kit alone is not enough to disable 2FA, unless:

    1. Your Master Password is written on it
    2. An attacker has access to one of your already authorized devices

    I hope that helps!

    Ben

  • GBoomerGBoomer
    edited June 4

    << The Emergency Kit alone is not enough to disable 2FA, unless:

    1. Your Master Password is written on it
    2. An attacker has access to one of your already authorized devices>>

    Thanks, Ben. Are you saying that BOTH of the above need to be true to for the attacker to disable 2FA, or just one or the other?

    Would an attacker be able to disable 2FA and open my account with the Emergency Kit and Master Password (without my yubikey)?

    Thanks again!

    GBoomer

  • BenBen AWS Team

    Team Member

    @GBoomer

    I'd be happy to clarify.

    Thanks, Ben. Are you saying that BOTH of the above need to be true to for the attacker to disable 2FA, or just one or the other?

    Both :)

    Would an attacker be able to disable 2FA and open my account with the Emergency Kit and Master Password (without my yubikey)?

    Only if they also have access either to your

    • Yubikey or TOTP secret OR
    • an already authorized device

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file