Vault Managers in 1P for Families?

maxmustermann
maxmustermann
Community Member

Hi guys & Happy Easter!

Thanks a lot for 1P for Families, lovin' it so far :-)

After playing around one big question popped up and hopefully you have an answer to it.

Let's say we have a family of 6:

  • Amanda & Ben
  • Charles & Danielle
  • Eddie & Fiona

Amanda, Charles & Eddie are siblings. Ben, Danielle & Fiona are their partners.

So Amanda "founded" the family (at 1P.com) and now invites everyone to use the account with the whole family.

  • Everyone will get an own personal vault no one else has access to. That's great.
  • Besides they also have a common shared vault everyone can use, e.g. for family matters. Supercool.

Now comes the catch:

  • At the same time each couple wants to have a shared vault just for themselves.
  • Sure thing, the others should neither see those vaults nor have access to them.

As far as I understood I can't do that with the family edition, right?

Looking through the help I found the "vault managers" and would assume that they serve exactly that purpose: Amanda could create 2 more vaults, add her siblings Charles & Fiona as managers and remove herself from them for privacy reasons, right?

The mini families could then manage their vaults themselves (& also add their partners for recovery). While this brings more fine-grained access & security to them it still has the downside that they always have to beg Amanda to create new vaults when they need one.

End of story :-) Hope I didn't bore you with that until now.

So the "vault managers" show up in the help, but not in 1P.com itself. Hence I assume they only available in 1P for Teams, right?

I also thought a little bit of what I described above and felt it's a bit too complicated if you are a family (and not a team). So I wondered how I would ease the life of those 6 and also wanted to share that:

  • Wouldn't it be easier if every team member would be allowed to create vaults, alter them and invite other family members (if desired)?
  • Optionally the admin could be added for recovery, but does not necessarily see those vaults or have access to them.
  • It also allows everyone to create different (personal) vaults for their purpose (e.g. "home", "school", "work").

The latter I used before 1P for Families with local vaults to separate passwords & documents much better.

Curiously awaiting your reply.

Cheers,
Martin


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«134

Comments

  • Ben
    Ben
    edited March 2016

    Hi @maxmustermann

    Thanks for writing in. 1Password for Families does not have the concept of vault managers, but it is possible for an Owner to create a vault where they themselves do not have access to the data within. Amanda as an owner could for example create a vault that only Charles & Fiona have access to. Unless Charles & Fiona are Owners though they will not be able to create vaults themselves, or manage who has access to any vaults.

    & also add their partners for recovery

    Recovery is done at the account level, not the vault level (even with Teams). An Owner will be able to initiate recovery for any Team/Family members, regardless of any vault permissions.

    Wouldn't it be easier if every team member would be allowed to create vaults, alter them and invite other family members (if desired)?

    Possibly, and that is something we're looking into. I can't make any promises though. At present only Owners can create vaults and manage permissions.

    Optionally the admin could be added for recovery, but does not necessarily see those vaults or have access to them.

    This is already the case, except it isn't optional. Owners have the ability to perform recovery, whether they have access to all vaults or not. Owners cannot recover their own accounts though, which is one reason why it is important to have multiple Owners.

    It also allows everyone to create different (personal) vaults for their purpose (e.g. "home", "school", "work").

    Again, this is already possible, but an Owner would need to set it up for each individual.

    Does that help? Please let us know.

    Thanks a lot for 1P for Families, lovin' it so far :-)

    Great! Glad to hear it. Thanks for the kind words. :)

    Ben

  • maxmustermann
    maxmustermann
    Community Member

    Hey @bwoodruff / Ben,

    Thanks for getting back to me that quickly!

    1Password for Families does not have the concept of vault managers.

    Good to know. Thanks :)

    Amanda as an owner could for example create a vault that only Charles & Fiona have access to.

    Not sure if Amanda managed to do that, yet ;) She is always added with "Full Access" to a vault and w/o the ability to remove herself. Is she missing something?

    Recovery is done at the account level, not the vault level.

    Also good to know. So I will tell Amanda to add another owner, just in case.

    Does that help? Please let us know.

    Almost, but actually I would have a follow-up question after what I have learned now :) Here it comes: Would the other owner also see all vaults or only the one he/she maintained?

    [Every team member would be allowed to create vaults] that is something we're looking into. I can't make any promises though. At present only Owners can create vaults and manage permissions.

    Sure. I understand that such service evolves over time and am so glad you are providing a timely and honest feedback.

    The only thing I am struggling with at the moment is that there is one person in the equation having the possibility to add/remove itself from any vault of the family account, making them potentially unsafe (e.g. Amanda could look into what Charles & Fiona share).

    But possibly that's just a misunderstanding from my side as I am only seeing the family account from one perspective including admin & owner capabilities. So I remain waiting eagerly for your reply :)

    Best,
    Martin

  • Hi, Martin / @maxmustermann.

    So sorry for the delayed reply!

    Amanda as an owner could for example create a vault that only Charles & Fiona have access to.

    Not sure if Amanda managed to do that, yet ;) She is always added with "Full Access" to a vault and w/o the ability to remove herself. Is she missing something?

    Sorry, Ben was incorrect there. Family accounts are not currently set up to allow shared vaults that Owners cannot access. We have discussed this internally, and we'll need to discuss it more before we settle on a solution.

    Would the other owner also see all vaults or only the one he/she maintained?

    Yes, all Owners are able to see and manage all vaults in the account (except Personal vaults). They do not have read access by default, but they can grant themselves read access to any shared vault. This is by design, but as I mentioned above, we're still considering how we can adapt this design for families where the account owner should not necessarily see all shared vaults.

    You're correct that Amanda would have access (or the ability to give herself access) to Charles and Fiona's shared vault, and that's understandably undesirable. The only solution at this time would be for each couple to have their own family account in addition to the shared account between the siblings.

    Thanks for your thoughts and bringing this up again, Martin! We do have some details to iron out there.

  • Not sure if Amanda managed to do that, yet ;) She is always added with "Full Access" to a vault and w/o the ability to remove herself. Is she missing something?

    Ah, yes, sorry about that. As Rob mentioned at present it will be possible for any Owner on the account to add access to any shared (non-Personal) vault for themselves. So while a vault can be created that Amanda is not a part of she could add herself to it at any time. And also if she is the one that creates the vault someone else (another Owner) would have to remove her access from it. That is something we're looking into as a possible change for the future, but I can't make any promises at this point.

    Sorry for any confusion caused!

    Ben

  • maxmustermann
    maxmustermann
    Community Member

    Hi Rob (@rob) & Ben (@bwoodruff),

    Thanks for the update and confirming what I (and Amanda) observed over the past days.

    Looking forward in hearing if, when and what you guys decided on.

    Hopefully it takes the turn that the family of six does not have to get 3 different accounts for the pairs of 2 :-) They are already considering having a second account for their families in law, respectively. I think that should be enough from a user/family member point of view :-)

    Best,
    Martin

  • AGAlumB
    AGAlumB
    1Password Alumni

    @maxmustermann: Thanks so much for the feedback, and the detailed explanations! I'll admit that's a scenario I hadn't considered. Honestly, I feel like I've got my hands full with a wife and two sets of parents, so I'm glad that my brother and his family have their own account. :p

    So while your example probably isn't typical (but then again, who knows?) it's really helpful to consider different cases since there will often be overlap with others. We'll see what we can do to accommodate different setups — if not make 1Password everything that everyone wants it to, at least make all of this clearer. Cheers! :) 

  • maxmustermann
    maxmustermann
    Community Member

    Hey @brenty,

    Thanks for your reply as well :)

    Maybe you've guessed it already, I am having two siblings. They are not Charles & Eddie as this would make me Amanda ;)

    it's really helpful to consider different cases since there will often be overlap with others.

    I had a picture in mind that we could use one family account to have

    1. shared vaults for family affairs (e.g. parents)
    2. shared vaults for matters of each couple (e.g. me & my girlfriend)
    3. private vaults for the individuals (e.g. me splitting up private & work for partial sync on different devices)

    While (1) is working like a charm already, I see (2) & (3) not working except with dedicated family accounts.

    Of course I could use it "as is", but - even trusting my siblings - I possibly do not want to share the Netflix password that i am sharing with my girlfriend. Currently my siblings (being owners) could get access to it as described by @rob.

    The major blocker from my perspective is the thing that a "family member" has no control over creating and inviting to own vaults the others do not see (unless invited). Having that would solve it.

    Honestly, I feel like I've got my hands full with a wife and two sets of parents, so I'm glad that my brother and his family have their own account.

    Exactly. Right now everything is bound to me as the owner as my siblings would need to approach me for new vaults, etc. If they would have the possibility to do this for their own, I would have less work, too ;)

    And my brother is already planning on getting a 2nd account for his family in law. Sure thing they have stuff to secure & share that I have no interest in at all :)

    We'll see what we can do to accommodate different setups

    Looking forward in reading another blog post with new fancy family features - hope :)

    Best,
    Martin

  • Megan
    Megan
    1Password Alumni

    Hi Martin ( @maxmustermann ),

    Again, we really appreciate you sharing your use case here. I just want to give you a little bit of history of 1Password Families. When we originally started developing 1Password accounts, we were focussed on 1Password for Teams, in fact, it was the first option we introduced as a beta. As the beta progressed however, we noted that many users were creating accounts in 1Password for Teams for their families. Many of the fine-grained access tools we have created in Teams, to allow Admins to precisely control who could see and edit vaults, was a bit excessive for a family situation. So 1Password Families diverged from 1Password for Teams, and we took out a lot of the complexness to make it simple to keep your family secure.

    Now, as your situation suggests, there are still some areas of improvement, and as others have said before, we're listening to how families are using this first version of 1Password Families, and we'll most definitely continue to iterate until we find a suitable balance between control and simplicity. It's certainly not going to be a simple task, but feedback from users like you will help us ensure that 1Password Families is the best solution that it can be. :)

  • maxmustermann
    maxmustermann
    Community Member

    Hey @Megan,

    Sure & thanks for sharing. Following AgileBits' blog I know where you (or 1P for Families) is coming from :)
    Not sure about the pricing for 1P for Teams, but I assume 1P for Family is more my pricing model ;)

    Best & Happy weekend to everyone,
    Martin

  • Megan
    Megan
    1Password Alumni

    Hi Martin ( @maxmustermann ),

    It's always great to meet someone who follows our blog - we really appreciate it. :)

    We haven't finalized the pricing for Teams yet, but I feel pretty confident in saying that Families is probably where you want to stay. We'll keep polishing up features to be sure it's a powerful solution for you and yours.

  • MDBrown
    MDBrown
    Community Member

    @Megan Many of the fine-grained access tools we have created in Teams, to allow Admins to precisely control who could see and edit vaults, was a bit excessive for a family situation.

    I'm not so sure that the fine-grained access tools are really excessive. I'm noticing in this forum that a lot of users have family use cases like mine, with extended family members, girlfriends, and other sub-sets within the overall family. Those sub-sets are essentially teams within teams, which, for me, really need fine-grained access control. The challenge, I think, is caused by the fact that access is determined by which vault an item is in, rather than by which items an individual family member needs access to.

    If I were designing the access control system, I would allow owners to grant access to each family member item by item.

    Imagine a table, with all items listed down the left side, and all family members listed across the top. This forms a matrix of check boxes. The owner would simply check a box to grant access to an item for a particular family member. For reference, the Drupal CMS (content management system) manages what they call "permissions" this way. It's a fantastic way to manage access with a high degree of granularity. And it's ideally suited for 1Password.

    Just food for thought.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Imagine a table, with all items listed down the left side, and all family members listed across the top. This forms a matrix of check boxes. The owner would simply check a box to grant access to an item for a particular family member. For reference, the Drupal CMS (content management system) manages what they call "permissions" this way. It's a fantastic way to manage access with a high degree of granularity. And it's ideally suited for 1Password.

    @MDBrown: That sounds like exactly the things were' trying to avoid: clutter and unnecessary complexity. While it's clear that some folks really want that kind of granular control (and ultimately responsibility for managing things at that level), that's not what the majority of people want.

    If I were designing the access control system, I would allow owners to grant access to each family member item by item.

    You and I may find that useful (or perhaps crucial for our purposes), but we're really in the minority there. I think the CMS example illustrates that.

    Most people don't deal with that sort of thing. Some do, but wish they didn't have to. Those who do by choice and relish that degree of control are a special breed, and I think that's a good illustration for where 1Password Teams is a better fit.

    I also think there's a case to be made for item-level access, but again somebody has to manage who has access to what. Most people don't want that kind of hassle, so the default will end up being how it stays in most cases. And then we're back to the way things work now: vault-level control. It's much more manageable. I have a vault shared with A and B, so any items I put there will be accessible to A and B. I don't have to manually set permissions for each individual item.

    Regarding your personal use case, since a vault is just a container, it can have as many items as you want in it, or only one. So it effectively becomes item-level access if you wish. Perhaps true item-level access is something we can do someday, but probably only if doing so grants utility far outweighing the complexity.

  • maxmustermann
    maxmustermann
    Community Member

    Agreeing to @brenty, so :+1: for having vaults as the entity to maintain, secure (& share) ;)

    Still a family might need a bit more flexibility in handling the same.

    But we discussed this in detail already :chuffed:

  • AGAlumB
    AGAlumB
    1Password Alumni

    Agreeing to @brenty, so :+1: for having vaults as the entity to maintain, secure (& share) ;)

    @maxmustermann: Indeed, past a certain threshold (which is probably different for each person), adding complexity increases the chances of migraine. :angry:

    Still a family might need a bit more flexibility in handling the same.

    Absolutely! The magic trick that we have to do here is take it just far enough without going too far. It's always better to slowly add things than to add too much and later take some of it away. That isn't fun for anyone. :blush:

    But we discussed this in detail already :chuffed:

    Frankly I think this discussion has gotten away from the original topic just a bit, but I'm glad. There have been a lot of really important things said here that we'll need to contemplate. :)

  • zeitstaubsammlr
    zeitstaubsammlr
    Community Member

    @brenty: i just want to weight in on this one. We germans are sensible about privacy and transparency in general and that i cannot exclude my brother as 2cd owner for getting himself Access to my important shared vaults of my family and job concerns me a lot and will be a deal breaker for most of the germans.
    I would like to set a self-control lock-out on specific shared vaults and that vault-users can check that in there settings.
    If you decide not to complex owner admin control even more, than at least make it a prominent option in new shared vaults to lock out specific owners on the "user" side. But i would not like that as much, because children could "choose" to lock-out a specific parent-owner.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @brenty: i just want to weight in on this one. We germans are sensible about privacy and transparency in general and that i cannot exclude my brother as 2cd owner for getting himself Access to my important shared vaults of my family and job concerns me a lot and will be a deal breaker for most of the germans.

    @zeitstaubsammlr: I'm not sure I understand the concern. If you don't want your brother (or anyone else) to be able to get your data, don't give them access to it — whether that means excluding them from specific vaults, or not giving them an account at all.

    I would like to set a self-control lock-out on specific shared vaults and that vault-users can check that in there settings.

    I don't understand what you're asking for here. Any vault you can create can be shared with multiple, one, or no Family members if you wish.

    If you decide not to complex owner admin control even more, than at least make it a prominent option in new shared vaults to lock out specific owners on the "user" side. But i would not like that as much, because children could "choose" to lock-out a specific parent-owner.

    Owners cannot be locked out. If you're concerned about keeping specific information private, just put it in your Personal vault. No one but you can access that.

    I guess the idea of this adversarial relationship with Family members you seem to be describing is what confuses me most. If someone isn't trustworthy (either due to age, maturity, or other factors), it is probably best not to grant them access to your most sensitive information. I'm sure there's more to it than that though, so please elaborate to help me understand what you're looking for. :)

  • maxmustermann
    maxmustermann
    Community Member
    edited April 2016

    I feel that @zeitstaubsammlr is seconding my inquiry:

    • He possibly wants to share the account with his brother, e.g. for family affairs.
    • He possibly also want to set him as owner (as they are the two "go to" persons in their family for tech Qs.)
    • But in some cases/vaults (e.g. a shared vault between him and his other half or his "job" vault) he does not want his brother to have access to it.

    AFAIK that cannot be solved at the moment, but would be possible if the family members could maintain their vaults themselves and decide which other family member (!) should have access.

    Best,
    Martin

  • Martin,

    AFAIK that cannot be solved at the moment

    Correct. An owner will be able to add themselves to a vault. It was set up this way intentionally to make it more difficult to lose access to an entire vault. This does assume either a malicious owner, though, and if you're in that situation you may want to reconsider whether you want that person to be an owner on your account.

    Ben

  • maxmustermann
    maxmustermann
    Community Member

    Hey @bwoodruff,

    I am pretty sure that all features were added intentionally and with care :)

    However I have to disagree on parts of your recent reply, so sorry for that:

    I think that typically it is not a "malicious owner" that is be part of your setup, but a trustworthy, tech-savvy family member. That's basically the life insurance if I (as an owner) would lock out myself and need help with recovery.

    In such a setup there might still be stuff I might want to share with someone else of the family, but not necessarily with all (!) owners (there could be more than just the two of us).

    For that purpose I would need a shared vault he/she/they has/have no access to. I think the scenario(s) above explain that quite well and underline that it is still a family use case, not a team one.

    Happy weekend,
    Martin

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2016

    I am pretty sure that all features were added intentionally and with care :)

    @maxmustermann: Well, I suspect that there was a lot of caffeine involved as well... :lol:

    However I have to disagree on parts of your recent reply, so sorry for that: I think that typically it is not a "malicious owner" that is be part of your setup, but a trustworthy, tech-savvy family member. That's basically the life insurance if I (as an owner) would lock out myself and need help with recovery.

    First, no need to apologize for disagreeing! Honestly, I'm not sure I agree with the term "malicious" here either, and I suspect that Ben was just having the same trouble describing the scenario that I was when I used the word "adversarial". Both of these have more of a negative connotation than I'd like, but it's as close as I can think of to expressing the idea.

    In such a setup there might still be stuff I might want to share with someone else of the family, but not necessarily with all (!) owners (there could be more than just the two of us). For that purpose I would need a shared vault he/she/they has/have no access to. I think the scenario(s) above explain that quite well and underline that it is still a family use case, not a team one.

    Thanks for summarizing that so clearly! I agree that it's a problem worth solving. It makes a lot more sense in a Team environment since an employee may quit or be terminated, and for security reasons you'd want to compartmentalize things as much as possible. After all, while access can be revoked, there's no guarantee that they didn't simply dump everything they had access to beforehand. Secrets that are shared cannot be unshared; you can only prevent new secrets from being shared going forward. Risk can be minimized by, for example, not giving IT personnel access to finance information they don't need in the first place. That way there's no need to reset finance account credentials when the IT guy leaves.

    I guess the part I'm having trouble wrapping my head around in your Family scenario is this:

    That's basically the life insurance if I (as an owner) would lock out myself and need help with recovery.

    While you're probably referring only to recovery, this would also seem to apply to, say, estate planning. And since we all need a plan for when when we're no longer able to manage these things ourselves, it seems like that would cover this as well. Why not have the other Owner be a person you trust completely, enough to not only help you recover if you lose your Account Key or forget your Master Password, but also be responsible for handling your affairs in your absence, as opposed to making someone an Owner only for recovery purposes? Just a thought.

  • maxmustermann
    maxmustermann
    Community Member

    Hey @brenty

    I guess the part I'm having trouble wrapping my head around in your Family scenario is this:

    That's basically the life insurance if I (as an owner) would lock out myself and need help with recovery.

    I did not want to restrict an owner to that scenario only, surely other scenarios are valid as well. It's only the first thing that came to my mind to underline the importance of multiple owners.

    While you're probably referring only to recovery, this would also seem to apply to, say, estate planning.

    Good point. In my thinking such an estate planning goes partly "offline", meaning that my other half should would have access to the most important things anyways (i.e. shared vaults), but I'd need to deposit an access to my personal account in case I am no longer able to manage these things myself.

    If you are able to incorporate that in the solution as well, that would just be awesome. Well, in fact it is not that awesome to think about the scenario not being here anymore, but It's a necessary one I believe.

    However I would not like to see a "per se" access for any owner as it seems to be the case right now.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I did not want to restrict an owner to that scenario only, surely other scenarios are valid as well. It's only the first thing that came to my mind to underline the importance of multiple owners.

    @maxmustermann: Thanks for clarifying that! I took your example too literally. :blush:

    Given the current legal climate of, well...no real provisions for our digital lives, offline is really where we need to start. For a lot of us, that means keeping their Emergency Kit somewhere secure that a beneficiary can access when the time comes. Until such time as the law catches up, this is probably best since there are processes in place for all of this. It isn't an idea system, but it's the best we've got currently. :(

    However I would not like to see a "per se" access for any owner as it seems to be the case right now.

    Indeed. We'll see if there's a better way of doing things, without making it all too complex. :)

  • Scuba629
    Scuba629
    Community Member

    Maybe create an 'advanced' section for families. That way the default is still simple and if some need a little more separation they just click on a radio button and off they go.

    I like the idea of more control but do agree that I am in the minority. Most just want easy an simple as technology can be scary(especially with sensitive data like passwords).

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Scuba629: I think you summed it up perfectly. It's a delicate balance. We'll have to consider this carefully, from both sides. :)

  • BrianE
    BrianE
    Community Member

    As a 1Password user, I shouldn't have to deal with losing features by signing up for 1Password for Families. By not allowing users to have more than one personal vault, that is exactly what is happening. I can enable the "Advanced" feature allowing for creating personal vaults, but those aren't synced with the servers which is one of the very things the subscription is paying for.

    Setting permissions on a vault level vs. per-item level is fine, but users should be able to control their own vaults and set their own access permissions. Or perhaps, owners can give users permission to create their own vaults if you can imagine use cases where it should be prevented.

  • AGAlumB
    AGAlumB
    1Password Alumni

    As a 1Password user, I shouldn't have to deal with losing features by signing up for 1Password for Families. By not allowing users to have more than one personal vault, that is exactly what is happening. I can enable the "Advanced" feature allowing for creating personal vaults, but those aren't synced with the servers which is one of the very things the subscription is paying for.

    @BrianE: I think there may be some confusion. You can have as many vaults as you want with 1Password Families/Teams. And whether you share additional vaults with family members or only yourself is up to you.

    You can even create another vault and name it "Personal"...but I'd advise against that since that could cause some confusion with the default "Personal" vault. But it's your choice!

    Setting permissions on a vault level vs. per-item level is fine, but users should be able to control their own vaults and set their own access permissions. Or perhaps, owners can give users permission to create their own vaults if you can imagine use cases where it should be prevented.

    Can you give an example? I'm not entirely sure what you're suggesting here. Thanks in advance! :)

  • BrianE
    BrianE
    Community Member
    edited April 2016

    How do you do the fancy quoting on this forum? :|

    "You can have as many vaults as you want with 1Password Families/Teams. And whether you share additional vaults with family members or only yourself is up to you."

    Yes, I can, because I'm the owner. No other users in my family can.

    Only the owner can create new shared vaults, and only the owner can change permissions. No other user has that control.

    Consider a two person family. They both used 1Password with Dropbox before and were excited about being allowed (not forced) to share vaults with 1Password for Families. They both try to migrate over their existing setup where they each had 2 vaults.

    The owner sets up everything fine, creates a new shared vaults and restricts the permissions so no one else has access. The non-owner tries to do the same, but doesn't have the ability to create new vaults. The owner tries to create vaults on non-owner's behalf, but there is no way to actually create a vault that is completely private to another user and can never be accessed by the owner.

    What are they expected to do? Make both of them owners? Then both of them can access each other's second vault.

    The point I'm trying to make is that 1Password for Families should be a complete product for every single family member. Everyone should be able to have a multiple vault setup for their private data the same way they could if each had an individual 1Password license.

    "Can you give an example? I'm not entirely sure what you're suggesting here."

    Same as above. Every single user (i.e. non-owners) should be able to create a new shared vault and manage permissions of who can see it.

    This thread suggested there is some difficulty finding the line between simplicity and providing all of these features (and for my two cents, it's moved so far towards simplicity I'm not sure it's useful).

    My suggestion is to use per-user permissions. The ability to create vaults is a permission that the owner can enable on a specific user, and otherwise the option is not available. If you have kids who you don't trust to manage vault permissions, they don't have access and have no ability to create a new vault. That provides the simplicity since the options are completely hidden for those users. Other users may want that functionality, so enable it for that user.

  • khad
    khad
    1Password Alumni

    Hi @BrianE,

    You can use Markdown formatting on this forum. So for quoting text, you just use a greater-than sign at the beginning of the paragraph. You can also select the text in your reply and then click ¶ > Quote.

    Yes, I can, because I'm the owner. No other users in my family can.

    You can and should have additional Family Organizers. If you are ever locked out of your account (forgotten Master Password, lost Account Key) and need to get back in, the only way to recover your account is to have another Family Organizer begin recovery. We recommend designating at least one other person as an additional Family Organizer. In the Admin Console, click Family Members. Click the name of the person you wish to make a Family Organizer, then click Promote to Organizer on the bottom of the page showing the details for that family member.

    What are they expected to do? Make both of them owners?

    For the sake of account recover, yes, we definitely recommend this. My wife and I are both Family Organizers for our account.

    Then both of them can access each other's second vault.

    This is not the case. Your Personal vault is only available to you. You can easily confirm this by trying to view the other person's Personal vault in your team since you are the Family Organizer.

    With that objection out of the way, is there another reason you would not want to make the other person a Family Organizer?

    An example setup:

    • Parents = Family Organizers (can create vaults and recover accounts)
    • Children = Family Members (cannot create vaults or recover accounts)

    We could consider adding more complexity with an additional role, but I wonder what the use case would be.

  • BrianE
    BrianE
    Community Member
    edited April 2016

    You can and should have additional Family Organizers. If you are ever locked out of your account (forgotten Master Password, lost Account Key) and need to get back in, the only way to recover your account is to have another Family Organizer begin recovery.

    @khad, I don't want to completely derail a thread about managing vaults, but I'm not a fan of this design either. I mention it in the "Migrating to Families - just not good enough" thread, if you want feedback bring it up there and I'll share my issues.

    This is not the case. Your Personal vault is only available to you. You can easily confirm this by trying to view the other person's Personal vault in your team since you are the Family Organizer.

    You are referring to something completely different than the original post. The post you are quoting is discussing how it's impossible for two users to have multiple private vaults.

    Yes, each user gets one automatically created "personal" vault which is private. My post was demonstrating how it's not possible for more than one user to have multiple personal vaults, which is something completely reasonable to expect especially if they are former 1Password users.

    An example setup:

    Parents = Family Organizers (can create vaults and recover accounts)
    Children = Family Members (cannot create vaults or recover accounts)

    Let's consider some other example families:

    • Single Parent
    • Children

    How should the single parent ensure they can recover their account?

    • Grandparents
    • Parents (owners)
    • Children

    The grandparents want to have a shared vault between them, but not allow any of their kids access to it. How can they do this?

  • MDBrown
    MDBrown
    Community Member

    I hate to be the one to suggest it, but I think it's time to close this thread. I commented early on, but now I'm stuck receiving notifications for what seems to have turned into a gripe session.

    In my opinion, 1Password for Families is for...families. It supports a shared network of members who (in general) don't pose a threat to each other.

    For some of the scenarios I'm seeing described in this thread, I think the original 1Password for individual users would be the better solution. Or 1Password for Teams. These would give the type of fine-grained control some users prefer.

    I might also suggest following the route my family has taken. I subscribed to a Families account, which I use for myself, my parents, and my girlfriend. I am the Organizer. My son-in-law also subscribed to a separate Families account for his immediate family.

    For recovery purposes, I invited my son-in-law to join my Family as an Organizer, and he invited me to his Family, also as an Organizer. We essentially have two separate Family circles that overlap with me and him.

    1Password is a complex service, with a lot of possibilities that are not always readily apparent. It will never be all things to all people, but I think there's very little you can't do with it...after a little mental mapping.

This discussion has been closed.