Vault Managers in 1P for Families?

maxmustermann

;)

Ben

:)

shmookles

Any updates here? Would be nice to know whether this is happening or not.

Jacob

Thanks for checking in! We don't have anything new to share at the moment. This post from Julie has a lot of details on the thought behind the situation, and how we're doing things right now. I recommend giving it a read. :)

ntimo

I would just like to add my vote for support for letting every user creat its one person vaults. Because now my main account is the account manager I would like to have a second account as admin for security reasons. But then the different admin account should not have read access to the vaults and even not being able to see or manage them witch would be by server policy. He should still be able to recover the account if needed.

AGAlumB

Thanks for the vote! I'd find that useful myself as well. :)

brandonmarkb

Hi everyone. Just wanted to add my voice to the thread as well. I'm a huge 1P fan...been using since 2009. I really like the idea of Families and have been very close to start paying. My wife and I use 1P and just share a vault with everything common between us. However, as our parents get older we would like to start having them use 1P both to have the convenience of the system, but also be able to start sharing critical logins. Also, since I'm usually the designated family IT guy (and iPhone/Kindle teacher and troubleshooter), I'm more comfortable managing everything than I am turning them loose themselves.

To this end I looked at the system and came up with the following setup:

• Both my wife and I are organizers
• I created 3 vaults: one for my wife and I to share, one for my parents to share (or use with a single, shared login), and one for her parents to share
• Access rights were as follows: my wife and I are the only ones who see our own shared vault. I am a viewer of my parents' vault, and she is a viewer of her parents' vault. She's not added to my parents' vault, nor I her parent's vault.
• Finally, I deleted the vault that is created automatically by the system, which shares across all users.

This setup would work pretty well. However, while I don't think my parents nor hers would have access with a son- or daughter-in-law having access to their shared vault, I can't say for sure. I think it's going to be a hard sell for some parents, and potentially ours, to demonstrate that I couldn't just go ahead and add myself as a viewer (or editor) of whatever vault I want.

I know this is a complex issue, and one that is likely well outside the planned use-cases for the system. However, I think that it's one that would be increasingly common as time goes on. I understand the points made that the Admin for the whole family needs to have control over everything.

However, what about a compromise, and this is what I wanted to suggest. Could you look at implementing some form of authorization system to add new members? What I mean by that is, say I decide some day that I want to add myself to my parent-in-law's vault (the one where my wife is currently an organizer but I'm not added). Could there be some sort of mechanism where either my wife (as the organizer) or all members of that vault are notified and must approve (either in-app or via an email unique URL) that I'm added? That way they have some sort of autonomy, and then have the ability to at least control or know that others are joining the vault. Maybe you could even say that there's an initial setup period where a vault is set up and all users are only informed when others join (like 24 hours while the admin is getting everything set up) and then after that it's locked and new users can only be added by authorization.

A counter to this would be that perhaps one of those "voting members" passes away and can't approve the request. Well, that's what the emergency kit is for--giving full access to everything in the event a user can't access the app. So this would only be needed, but also useful, when someone is physically alive/present to use the app.

Anyway, hopefully this makes sense. I get that 1Password for Teams enables all the functionality we want, but the jump in functionality and price is pretty steep. And while this may be technically hard to do, I hope you consider some sort of approval system that doesn't add too much complexity and still maintains most of the lightweight and user-friendly focus of 1P for Families.

EnerJi

@brandonmarkb My use case is similar to yours. I would also like to see an improvement to the privacy of vaults (such that organizers don't have completely unrestricted access to view all vaults created within one subscription), while not completely preventing organizers from having access to vaults that they might need to access one day.

I imagine it's a significant challenge to design something like this, but your suggestion of being able to designate certain vaults as needing the permission of two (or more) organizers to modify sounds like a good starting point. In this scenario, I would imagine in the event one of the required organizers is no longer able to access their account that the emergency kit would allow access.

nmott

@brandonmarkb thank you for taking the time to outline your situation and what you envision a possible solution might look like. I do think that it makes sense in your case, if either your or your wife's parents have a problem with one of you being able to view their vault, that it would be worth showing them how to use their own Personal vault. Here's what Julie said in an earlier comment on this thread:

Everyone (excluding "Guest" users) does have a vault which does not grant "Manage" permission to the team owner or family organizer. That is the "Personal" vault. The server will prevent any team owner or family organizer from adding themself to that vault as an ordinary user of the vault, and the server will not allow permissions other than "Recover" to be added to a personal vault by another user. If you have information you want to protect from the team owner or family organizer, right now the only place to store it is in your existing "Personal" vault. Family organizers all have "Recover" access to personal vaults to ensure that family members never lose the ability to access their items -- so long as the 1Password Families account has a recovery plan in place.

That would give you the ability to help your parents while also preserving their privacy. (It would also be handy if they created separate accounts so they didn't have to share logins with each other unless they chose to, but that might not be something you or they are interested in.) You'd still be able to help them recover their information, but you wouldn't be able to view any of their private data. Is there a reason that setup wouldn't work? I saw that you don't want to "set them loose" but in my own experience this is a good compromise.

@enerji thank you as well for chiming in! It's good to know what people are looking for from 1Password Families (and the rest of our products) so we know what to consider in the future. I don't have anything to share at this point, but the feedback is appreciated :)

brandonmarkb

@mmott The personal vault does make sense and is definitely at play in my situation, and I think it addresses a lot of the problem. Here are a couple of hypothetical scenarios where it might not (and as I have this back and forth, remember, I'm definitely a huge fan and this is in the spirit of feedback as a user--I realize I'm by no means on the product team! :)):

• My wife and I have a pretty great relationship with each other and our respective in-laws. I realize that in the scenario I outlined above, that even if my in-laws knew that I could, at any point, add myself to the vault they share with their daughter, my wife, they probably wouldn't care. However, I can see situations where that wouldn't be the case. My mother-in-law is happy to have my wife know her Amazon password and see her purchase history, etc. Maybe she wouldn't be as happy with me having that (just a minor example). Or taken to a further extreme, let's say that at some point one of my in-laws has a pretty big medical challenge and they feel like they need to share a login with my wife for their medical history/prescription ordering, etc., so that she can assist. Maybe in that case they're extremely sensitive to who has that information. Them knowing that their daughter is the only one who can use--or manage who uses--that password would make them feel better about sharing it with her.
• All of these scenarios are pretty innocuous when you have a good relationship with your in-laws, but become much more serious and realistic when you don't. We all know people who love their spouse, but can't stand their in-laws, and vice-versa. Now those scenarios may become much more real where someone would think twice about sharing to a vault that they need their child to access, but that their son (or daughter) in-law can manage.

Anyway, I know this is a very specific set of use-cases, but I'd imagine that the use-case of a tech-savvy child wanting access to some of their parents' logins as those parents get older is one that will become more prevalent in the future rather than less. Especially as Baby Boomers--who are savvy enough to have many Internet accounts--get older and their children find that they need access to those accounts to assist them in old age.

Thanks for listening!

nmott

@brandonmarkb No worries at all, I enjoy thinking about these kinds of things :)

Or taken to a further extreme, let's say that at some point one of my in-laws has a pretty big medical challenge and they feel like they need to share a login with my wife for their medical history/prescription ordering, etc., so that she can assist. Maybe in that case they're extremely sensitive to who has that information. Them knowing that their daughter is the only one who can use--or manage who uses--that password would make them feel better about sharing it with her.

That's a good example of when neither a Personal vault nor a Shared vault are exactly what someone would be looking for.

All of these scenarios are pretty innocuous when you have a good relationship with your in-laws, but become much more serious and realistic when you don't. We all know people who love their spouse, but can't stand their in-laws, and vice-versa.

I have no idea what you're talking about, everyone adores their in-laws ;) In all seriousness, it's hard to plan for those relationships in a tool designed for families that want to share information with each other. No amount of tinkering on our end will ease the concerns someone might have about storing their personal information in a service that their in-laws can also access. That's a human problem, not a technical one.

I'd imagine that the basic premise of a tech-savvy child wanting access to some of their parents logins as those parents get older is one that will become more prevalent in the future rather than less. Especially as Baby Boomers--who are savvy enough to have many Internet accounts--get older and their children find that they need access to those accounts to assist them in old age.

Another good point. I think for most families we can already help with that, but there are some fringe cases that could benefit from the setup you described. (Another option might be to trust someone with an Emergency Kit in case of an actual emergency or, potentially, death. But that only works if people have a healthy and trusting relationship and not the kinda-tense one you described up above.)

I don't know if any of these changes will be implemented, but they are certainly worth thinking about! At the end of the day we have to make some choices about what we're going to support, and that naturally means we won't be able to cover all possible scenarios, but we do strive to serve as many of our customers in the best way we can. This feedback helps inform our view on that, so thanks :chuffed:

sgruby

Today I was able to remove myself (family organizer) from a vault. Was this change intentional? I really wanted to be able to do this and now that I can, I'm wondering if this will go away. Before I can move more of my family to 1Password for Families, having the ability to remove myself from vaults is vital.

AGAlumB

@sgruby: Family Organizers (or Team Owners) should have the ability to manage things as they see fit -- with the exception of others' Personal vaults. While that isn't something we plan to change, we definitely want to make sure people can't lock themselves out of data -- or accounts -- accidentally.

ntimo

@brenty what about an option to bring back deleted vaults from the dead? Or maybe accidentally deleted vaults...

AGAlumB

@ntimo: It's something we'd like to do. Technically this is possible (given backups and historical data), but there's no interface to do any of that currently.

maxmustermann

Hi guys,

It's been a while & reading the recent announcements about 1P for Teams Pro I wondered if your internal discussions went any further?

I think meanwhile (after reading the thread once more) I initially asked for two things:

1) Let every family member create own (shared( vaults and
2) Be able to do this w/o the owner being part of such vaults.

This way family members can have their secrets, still having the owners for (account) recovery.

Cheers,
Martin

Jacob

@maxmustermann Thanks for checking in! This is still something we're considering. We prioritize things based on interest and need, and this one is a bit lower on the list right now because we haven't had a lot of people ask about it lately. This thread was last active in June, for example. I'll give the team a nudge and let them know you asked about it. :)

maxmustermann

Thanks for the heads-up, @Jacob.

I did not contribute much as my last information was that it is still being discussed internally :-)
But the recent announcements around 1P for Teams (Pro) triggered my interest in the progress.

Best,
Martin

Jacob

No problem! We have been hard at work with 1Password Teams lately. It's quite a project. :)

stellar292

It looks like you're deprioritizing this based on demand and I just wanted to say that I've been waiting for this feature to add a bunch of extended family members! Please please allow there to be vaults that Family Organizers can't manage, or that require multiple Family Organizers to consent to any changes to.

Frank

Hi @stellar292

Thank you for sharing :-) I can definitely understand the need for more permissions and vault control using 1Password Families. I will make sure to share your request with the team and add this as +1 vote for the feature. We really appreciate you taking the time to leave us some feedback. Stay safe & Happy Holidays!

Murkrage

@Frank_AG you can make that +2 :), I would really love this feature and it's something that's lacking for me. It's cheaper for us to go families instead of personal, but I'm inclined to go back to a personal account just for this feature.

Frank

Hi @Murkrage - +2 noted ;-)
I appreciate the feedback and thank you for letting us know this is an important feature for you :-) Happy New Year!

Murkrage

@Frank_AG No problem! Happy New Year to you too :)

Frank

@Murkrage Thank you! :-)

hemiro

+1. I also would like to see more permissions and vault control using 1Password Families. Love the feature of more family organizers but would also would like to excluded family organizers from certain vaults.

And of course to all: happy new year!

Greateful_Rabbit

+1

I love 1P and have been using the local version for many years. I would love to migrate to an online version, but unfortunately
sharing is too limited. Here is my wishlist with respect to personal accounts (teams may not fit into this model):

1. All personal accounts are created equal. No matter whether you are single user or part of a family. You have the option of assigning one or more people (1P.com users) that have the permission to recover it in case of you get locked out or (god forbid) leave this world. Recovery should be protected by an additional level of authentication preventing that access to one account ripples off to others.
2. A user can create multiple vaults and manage permissions by adding or removing any other 1P user.
3. Accounts can be grouped in a family for billing purposes.

With the above most (if not all) family constellations can modelled:

Examples Chandler Bing Family

1. Chandler & Monica and their two children Jack and Erica each creates a 1P.com account.
2. Chandler adds Monica, Jack and Erica as members of the family. Chandler and Monica are also assigned the admin role and can therefore automatically recover accounts in the family. Chandlers account is billed for 4 accounts.
3. Chandler assigns Monica full access to his personal vault.
4. Monica assigns Chandler full access to her personal vault.
5. Monica creates a second vault Work which is not shared with anybody.

Examples Jack Geller Family

1. Jack and Judy (parents of Monica) creates a 1P.com account each.
2. Judy adds Jack as family (and admin). Judys account is billed for two accounts.
3. Judy creates a vault called Gellers and gives full access to Jack and read access to Monica and Ross (Ross does't have 1P.com account yet but gets an email invitation to create one.)
4. Judy gives Monica the permission to recover/access any family account in case of emergency.

Examples Joey Tribiani
3. Joey Tribiani manages his own 1P.com account.
4. He creates a Vault called Friends and gives read access to Monica, Chandler, Ross, Rachel and Phoebe.

Examples Monica Geller logging in
1. When Monica Geller/Bing logs in she can see the following vaults:

• Monica/Personal - shared with Chandler, full access.
• Monica/Work - private/not shared
• Judy/Gellers - shared with Judy (owner), Jack and Ross. Full access.
• Joey/Friends - shared with Joey (owner), Chandler, Ross, Rachel and Phoebe.

Examples Ross Geller Family
1. Ross receives an invitation from his mother Judy to create a 1P account and join the Gellers vault.
2. Ross creates an account for himself with no family members.
3. He creates two vaults one personal (that only he can access) and one called Ben. Ben is Ross's son, but Ross thinks he's not old enough yet to have his own account. When Ben is old enough Ross will convert this vault into an account.
4. Ross gives his ex wife Carol (that is part of an other family) read access to vault Ben.

Happy new year!

Frank

Hi @Greateful_Rabbit - Oh wow! Thank you so much for taking the time to send over your idea. I just re-watched Friends recently :-) I will make sure to share your request with the team. I really love the detail you put into this, fantastic!!! Please feel free to contact us anytime, we're always happy to listen. Have a fantastic day & Happy New Year! :-)

monstermac77

Another +1 for more control of family member sharing. I'd especially be interested in the ability to remove recovery capabilities from family organizers (at least in general, if not on a vault-by-vault basis); it's rather concerning to me that family organizers are cryptographically capable of decrypting even the personal vaults of others in the family, and there's no option to disable this.

I of course understand the need for simplicity so that the amazing security 1Password provides is accessible to as many people as possible, but I think it's reasonable to tuck these functions away in a hard to find "advanced settings" page.

AGAlumB

Another +1 for more control of family member sharing. I'd especially be interested in the ability to remove recovery capabilities from family organizers (at least in general, if not on a vault-by-vault basis); it's rather concerning to me that family organizers are cryptographically capable of decrypting even the personal vaults of others in the family, and there's no option to disable this.

@monstermac77: That's not actually the case, though I understand why you might have gotten that impression. "Recovery access" means the ability to start the recovery process for an account (and therefore the Personal vault therein), but they cannot access the data within. The Recovery Group (Owners, Organizers, Admin) does not hold anyone’s personal key set, nor does it have anyone’s Master Password, Account Key, or the vault itself.

I of course understand the need for simplicity so that the amazing security 1Password provides is accessible to as many people as possible, but I think it's reasonable to tuck these functions away in a hard to find "advanced settings" page.

I think that's a good point. We've been experimenting with beta features in 1Password Teams, and perhaps in the future we'll have some advanced options that are only available to the account owner, who will likely be more comfortable with that since they're already administrating things for everyone else to some extent. Thanks for the feedback! :)