Can a team admin access a suspended user's private vault through recovery?

I used to think the answer was "no", but here is the sequence of events that concerns me:

  1. User stores something personal in their private vault.
  2. User leaves company.
  3. Admin suspends that user's account.
  4. Admin changes the email address of the account to one that they control and the user does not.
  5. Admin performs a recovery procedure to reset the master password on that user account.
  6. Admin logs in as that user and now has everything they ever stored in their private vault.

Is there a way to prevent this sort of thing? Or should I avoid storing anything in a private vault that I wouldn't want anyone with recovery permissions to be able to see?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2018

    @andrewwatt: Thanks for reaching out. I’m sorry for the confusion! I'll start by answering the fundamental question, and then we can go into more detail:

    Can a team admin access a suspended user's private vault through recovery?

    The answer is basically "no", since in most cases they won't have access to the user's email. There is simply no way for access/ownership of one account's Personal/Private vault to be transferred to another account. Period.

    However, if the team admin has access to the user's email, then they would be able to complete the recovery process to setup new account credentials, which they would then have to access the account.

    I used to think the answer was "no", but here is the sequence of events that concerns me:

    1. User stores something personal in their private vault.
    2. User leaves company.
    3. Admin suspends that user's account.
    4. Admin changes the email address of the account to one that they control and the user does not.
    5. Admin performs a recovery procedure to reset the master password on that user account.
    6. Admin logs in as that user and now has everything they ever stored in their private vault.

    Is there a way to prevent this sort of thing?

    Hmm. #4 is where this breaks down. An admin cannot change another user's email address or other account credentials. They would have to have direct access to that user's account, either by capturing their credentials or coopting their email account to do recovery for that account themselves. But that brings us to your final question:

    Or should I avoid storing anything in a private vault that I wouldn't want anyone with recovery permissions to be able to see?

    I think this is really important: there is no answer, as it's really going to be a judgement call on your part. But certainly it's not a bad idea to keep your personal stuff out of your work account since you could just as easily be fired and/or deleted from the team at any time, and you'd lose access to anything you had there. If you're not paying for it, someone else is in control and you should plan accordingly. I hope this helps. Be sure to let me know if you have any other questions! :)

  • andrewwatt
    andrewwatt
    Community Member

    An admin cannot change another user's email address or other account credentials.

    Ahh, OK. I couldn't find any documentation explicitly saying whether this was possible. That clears this up for me!

    I have my own individual account, but I have considered recommending the use of a private vault for personal credentials to other people, when I know they work for a company that uses 1Password and I also know they are not willing to spring for their own license. But based on the points you made, it sounds like that's not a great idea.

    Thanks!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ahh, OK. I couldn't find any documentation explicitly saying whether this was possible. That clears this up for me!

    @andrewwatt: Indeed, sorry about that! Any user account information can only be changed from within that account. Admins can just invite/remove/suspend and grant access and abilities to users.

    I have my own individual account, but I have considered recommending the use of a private vault for personal credentials to other people, when I know they work for a company that uses 1Password and I also know they are not willing to spring for their own license. But based on the points you made, it sounds like that's not a great idea.

    More importantly, you may want to have the company reach out at business@1password.com — we recently introduced 1Password Business, and that includes a 1Password Families account for each person as well. ;)

  • Privateus
    Privateus
    Community Member

    Thanks brenty and andrew for this.

    Here my case: I work for a company that uses gmail accounts (of course corporate tailored to @companyname.com, but still it's a gmail business account). The email addresses are set by the admin who has full access in case needed. This does definitely make sense as they need to assure continuity in case of illness, lay off, access in case of legal claims against the company or any other worst-case scenarios.

    The company bought the 1passwort membership and gives it to team members (only via the corporate email address).
    However, this also means that the admin has all he/she needs in order to get access to the "personal" account of the user via the recovery process described above.

    A great pity, as I just started to appreciate 1pw and started to add private pws. Will delete these now and might go for an account myself whenever it becomes worth it, but for now 36$ each year is too expensive.

  • Our 1Password Business offering was designed to address this exact scenario. As brenty mentioned it gives each team member in the 1Password Business membership their own 1Password Families membership. The only association between the two is billing. Admins on the business account cannot affect or access data stored in the 1Password Families membership. All they can do is sever the billing link, which would cause the 1Password Families membership to need to set up its own billing.

    A great pity, as I just started to appreciate 1pw and started to add private pws. Will delete these now and might go for an account myself whenever it becomes worth it, but for now 36$ each year is too expensive.

    Worth is a very subjective topic. We feel that $36 USD / yr for the convenience and security that 1Password provides is quite reasonable, but of course it is up to each individual to judge that for themself.

    Thanks!

    Ben

This discussion has been closed.