feature request: disable personal vault for a family member

DanBrotskyDanBrotsky Junior Member

The notion of a "personal" vault (that only the user himself has access to) is not appropriate for some very young or very elderly family members, whose use of 1Password (and the computer in general) needs to be carefully supervised by a competent administrator. Disabing the "personal" vault, that is, restricting access only to existing shared vaults, would be an extremely useful feature when used in conjunction with various types of firewall controls - it would allow users to access and create accounts on sites but ensure that administrators could see that this had happened (and update or disable passwords/etc. as needed).

An alternative approach would be for an administrator to be able to get ongoing access to a Personal vault, so the vault is not private to its owner. I believe that would also be a useful feature for Teams as well as Families.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:feature request: disable personal vault

Comments

  • @DanBrotsky I think this may have been suggested before. I hadn't considered it for the elderly. I know it's a great idea for the young first being introduced to the online world and security by parents who want them to use secure passwords but not lock themselves out (as well as keep an eye on what they are creating passwords for!) Hopefully this idea will be implemented at some point.

  • brentybrenty

    Team Member

    @Martok, @DanBrotsky: While making it possible for a user to remove their own Personal vault is certainly something we can consider, I think that something personal like a Personal vault should really belong to the individual. None of this "Big Brother" stuff. What is the world coming to? :lol:

    But in all seriousness, I think you can accomplish what you're trying to do by giving them Guest accounts instead of regular Member accounts. That way they'll only have access to a single vault you share with them. I hope this helps. Be sure to let me know if you have any other questions! :)

  • @brenty I'm very much against "Big Brother" stuff (particularly as I'm from the UK, where Orwell lived, and seeing what is currently going on with UK privacy laws. I am also very much in favour of responsible parenting. ;)

    I'm aware that it can achieved with a guest account (I think I even posted about this recently in another thread). Whilst that is a possibility, there are some limitations with doing that. Firstly, a guest account cannot be converted into a full account, so there's the inconvenience of re-registering later (say when the child is older) and then moving logins etc into the Personal vault. Secondly, and more importantly, guest users cannot share more than one vault. So whilst this is ideal for say a young/teenage child to save their own logins into for shared access with their parents, the problem comes when parents want to share some logins with them. So for example, if I wanted to share my Netflix login (and other similar logins) with a child who is a guest user (so they can access the services on their device), I would naturally want to make these logins read-only so that the child could not change them (accidentally or otherwise). The only way to share logins like these would be to move them into the shared vault which would have read & write access (as the child would need that to save their own logins in). Both the moving of the logins and the write access to these is undesired. All of this would be compounded if I had 2 children of a similar age - 2 guest logins and either 2 shared vaults (one for each guest) and then having to have duplicated Netflix logins to go in each vault (as you can't have a login in multiple vaults at the same time) each with write access or the (worse) alternative of a shared vault for both children when both would have access to each other's logins.

    Whilst I don't have this issue with my teenage daughter (she's of an age where I would let her have her own Personal vault and full membership), this wouldn't have been the case a few years ago where I would have wanted a full account for her without a personal vault.

    I do hope you can see where we are coming from with this. The Family subscription is a relatively new service (launched in February 2016 if I am correct) and it's a pretty good offering. However, I'm sure you will agree that the true test of a service is once it is in the hands of your customers and seeing if it meets their needs and what gaps there may be. So by us voicing our opinions (especially me, I know I'm quite vocal!) on this and other matters, it's only because we want to help support and develop the service by identifying gaps that we have seen. We may not always be right, of course, but it's always good to talk about this. :)

  • brentybrenty

    Team Member
    edited November 2016

    I'm aware that it can achieved with a guest account (I think I even posted about this recently in another thread). Whilst that is a possibility, there are some limitations with doing that. Firstly, a guest account cannot be converted into a full account, so there's the inconvenience of re-registering later (say when the child is older) and then moving logins etc into the Personal vault. Secondly, and more importantly, guest users cannot share more than one vault. So whilst this is ideal for say a young/teenage child to save their own logins into for shared access with their parents, the problem comes when parents want to share some logins with them. [...] I would naturally want to make these logins read-only so that the child could not change them (accidentally or otherwise). The only way to share logins like these would be to move them into the shared vault which would have read & write access (as the child would need that to save their own logins in). Both the moving of the logins and the write access to these is undesired.

    @Martok: Excellent points! I think part of the difficulty is that not all solutions to these problems will work for everyone. And of course, if there are too many options, it can quickly become unwieldy. You're right that there isn't a good solution for the problem presented in your example currently. t

    I do hope you can see where we are coming from with this. The Family subscription is a relatively new service (launched in February 2016 if I am correct) and it's a pretty good offering. However, I'm sure you will agree that the true test of a service is once it is in the hands of your customers and seeing if it meets their needs and what gaps there may be. So by us voicing our opinions (especially me, I know I'm quite vocal!) on this and other matters, it's only because we want to help support and develop the service by identifying gaps that we have seen. We may not always be right, of course, but it's always good to talk about this. :)

    I couldn't agree more, and _couldn't have said_ didn't say it better myself! I think there are a few different ways of approaching this, and I'm not sure it's clear what the "best" option may be. It's something we'll continue to evaluate, with the help of everyone's feedback. :)

    ref: b5-2123

  • DanBrotskyDanBrotsky Junior Member
    edited November 2016

    @brenty: You seem to be thinking of someone's "Personal" vault as "belonging to them", the way it would if they were paying for the family or team account themselves. But it doesn't belong to them, in exactly the same way as someone's work email doesn't "belong" to them and can be accessed by an administrator at any time. While there are going to be employers/parents and employees/family members who let users maintain their privacy by giving them exclusive use of their Personal vault, there are also going to be employers/parents who are not comfortable with that approach for all employees/family members (because the employee/family member might actually get into trouble or their company into trouble by saving critical family/company info in an inaccessible way). What's being requested here is a simple administrative option that could be set at time of invite --- does this user have exclusive access to their Personal vault or not --- or by a user at any time --- "allow administrative access to my Personal vault". With this approach, there is no "big brother" issue: either the invite explicitly told you that you weren't being offered a private vault or you explicitly decided to let your employer see your private vault. In all cases everyone is operating with full knowledge of what's private and what's not, and neither side can retroactively get or prevent access to anything without consent of the other.

  • What's being requested here is a simple administrative option that could be set at time of invite --- does this user have exclusive access to their Personal vault or not --- or by a user at any time --- "allow administrative access to my Personal vault". With this approach, there is no "big brother" issue: either the invite explicitly told you that you weren't being offered a private vault or you explicitly decided to let your employer see your private vault. In all cases everyone is operating with full knowledge of what's private and what's not, and neither side can retroactively get or prevent access to anything without consent of the other.

    This is an interesting suggestion and one that 1Password would need to consider the best way forward. However, this is where you and I differ on what we want from an idea like this. Whilst you do want the option, in some form, of accessing the Personal vault belonging to someone else, I do not want this option, ever. Now I am the admin of my Families subscription (actually joint admin as my other half is) and when my daughter starts using it (she's mid-teens) I do want her to have a Personal vault and I don't want her to ever feel that there is any way whatsoever for me to be able to see what is in it (even though I am the bill payer). I want her to use it well into her adulthood (it's not extra cost to me whether or not she uses it) and feel secure that, as an admin, I can't make sneaky changes in the background. So for me the "switch personal vault privacy" in the admin panel is a definite not. Also the "allow admin access to my Personal vault" isn't ideal either - it's something that could accidentally be enabled when it's not required, there'd need to be a revoke option in the admin panel and it would be an issue if you wanted another adult to also have access to the personal vault but they aren't an admin (so for example the admin is the mother, the non-admin is the father and for whatever reason they don't both want to be admins).

    I still think that the best approach for this, which allows for what is desired, is the disabling of the Personal vault for desired accounts and a shared vault is then used instead (and this is what I would have used with my daughter if she was younger). It's all clear and up-front that it's not private and in the future when a child is old enough, passwords can easily be moved to a Personal vault once it's enabled with the knowledge that the Personal vault is just that, belonging to the user and no-one else can access it. In addition, this would also give the option to couples who don't want to have Personal vaults but prefer multiple shared vaults to be able to have this facility as well.

  • brentybrenty

    Team Member
    edited November 2016

    @DanBrotsky, @Martok: Agreed. Privacy is something we're very passionate about, so if we implement something like what's being suggested here, it really needs to be made clear to the user and probably won't be called "Personal" anymore. Otherwise why should anyone trust you, if, unbeknownst to them, you're accessing data that they thought was truly personal, private, and secure; and why should they trust us, if we're facilitating that sort of thing?

    I'm not arguing that you don't have legitimate reasons for wanting what you want, or that it wouldn't be useful; only that anything like this needs to be considered and implemented very carefully, with consideration for all 1Password users, not just you. It's already been shown in this discussion and others like it that there's not a clear "one-size-fits-all" solution to this that will work even for those requesting the feature. So it's good that we're having this discussion in the first place. A real solution will probably have to meet somewhere in the middle.

    In the mean time, a good option is to give the "restricted" (I really can't think of a good word here...) user a regular member account, since it can access multiple vaults, and just set their "default vault for saving" as one of the shared vaults, instead of Personal. And, if desired, a shared vault can be set to read-only. I know this is a solution that a number of team members use both for their children and parents, and it has the benefit of being something that is usable now. And if and when the kids start trying to circumvent this by using the Personal vault anyway, it's probably time to have a conversation with them. ;)

  • DanBrotskyDanBrotsky Junior Member

    @martok, @brenty: I think we are actually all in complete agreement about "the desired restriction", but (as always) appearances are everything. Thus it is the user interface for this restriction that is provoking all the discussion, as it should. Let me see if I can separate the two in a way that's helpful:

    The desired restriction: Restrict specific team/family members so that they can only access vaults that administrators (and possibly others) have access to; that is, there is no private vault created for them, and they are not allowed to create a private vault.

    The user experience: Good question. Let me get there in stages. First, I think we can all agree on one thing:

    • If a vault is called "Personal", it must be a private vault, accessible (and visible) only to a single user.

    So clearly, these "restricted" members should not get a "Personal" vault. But I think we might all agree on another thing:

    • Each full team member should be given a designated vault in which only that member is allowed to create and delete entries.

    This second thing is, for me, is what's really at the heart of this feature request:

    • It is what distinguishes full (or "restricted full") membership from other forms of membership, such as Guest membership. Whether or not my "special" vault for saving passwords is private or not, it is mine. Others may have access to read (and possibly even update) my entries, but no one else can create or delete an entry in my vault.
    • It is what allows this vault to have, from each member's perspective, a special name, such as "Default" (rather than "Personal"). When someone else who has access to the vault contents sees the vault, it would be called "<so-and-so's> Default". For me it is just called "Default".
    • It uses a form of Sharing that doesn't seem to be currently supported by 1Password, at least not in the current interface. (As far as I can tell, 1Password supports "read-only" and "read-write" sharing, but under "write" does not separate the permissions for "create entry" and "delete entry" and "update entry".)

    Does that help clarify what I am asking for in a way that seems more palatable to the two of you?

  • @DanBrotsky this:

    Each full team member should be given a designated vault in which only that member is allowed to create and delete entries.

    is already possible with a shared vault. For any member who has access to the vault, including yourself as an administrator, you can remove the write access to the vault. So right now you could have a shared vault that you can see the passwords of say a child or elderly person but you cannot create or delete entries (unless you add back in the write access, which could be done temporarily if required).

    In fact, this is something that I have in my Family set-up. Both my fiancée and I have Personal vaults that we use for logins that only we as individuals need. We also use the Shared vault that we both have read/write access to for various joint logins. In addition, we both have our own shared vault with our own personal passwords for things that only we use but we feel that the other person may need access to at some point (incapacitation, death etc). So for example in my shared vault with her I have my email login. She would need this if something happened to me, but I don't want her changing the password or anything else accidentally on the login in 1Password, so for this shared vault she only has read access, I have removed all write access. Similarly my fiancée has a similar vault that she has shared with me.

    The second part of what you have talked about in your last post really is an addition to what you said in your initial post in this thread, and this addition all relates to read/write permissions and some that don't exist. Technically this is a completely separate issue to the main suggestion which is disabling the Personal vaults. As such, I think this part should be left as separate and dealt with at another time - we should be looking at changing (or trying to influence change in) one aspect of the service first rather than try and bundle a whole bunch of different aspects into one and change the lot together.

    1Password are part way there to the solution as it is:

    • Guest account (no Personal vault but the limitation of a single shared vault and no ability to convert the Guest account into a full account later)

    OR

    • Full account (multiple shared vaults with the ability to set the default save to a shared vault but with the limitation of a Personal vault still existing and the possibility of accidental/deliberate changing of the default save vault back to Personal)

    The ideal for us (just looking at the vault aspect and not any additional read/write permissions) is half-way between these:

    • Full account (multiple shared vaults with the ability to set the default save to a shared vault and a Personal vault that is completely private and can be totally disabled but can be enabled by the administrator at a later stage if required).

    Hopefully this discussion has given food for thought to all parties. As @brenty said, there is no "one-size-fits-all" solution and any changes that are made would need to work for me, for you and for all other users of 1Password.

    BTW it's been great to have a civilised discussion here! So often on various forums a discussion turns into something unpleasant as the debate gets heated and keyboard warriors feel entitled to sling insults at one another. It's a breath of fresh air being able to discuss something that we all feel is important - the improvement of 1Password to meet the needs of users - in a calm and pleasant way. Thank you! :)

  • brentybrenty

    Team Member
    edited November 2016

    BTW it's been great to have a civilised discussion here! So often on various forums a discussion turns into something unpleasant as the debate gets heated and keyboard warriors feel entitled to sling insults at one another. It's a breath of fresh air being able to discuss something that we all feel is important - the improvement of 1Password to meet the needs of users - in a calm and pleasant way. Thank you! :)

    @Martok: This plus infinity! We really have a great community here, and it's a pleasure and an honour to participate in rich discussions like this. :chuffed:

    Does that help clarify what I am asking for in a way that seems more palatable to the two of you?

    @DanBrotsky: There are a lot of different parts and things to consider here, so I really appreciate you taking the time to lay it all out like that. Thank you! :)

    ref: b5-2048

  • DanBrotskyDanBrotsky Junior Member
    edited December 2016

    @Martok: Thanks much for the thoughtful reply. And thanks for pointing out what a delight it is to have a calm discussion like this. I agree; it's a very happy thing.

    Let me leave aside the question of read vs. write vs. create vs. delete for a moment (which I agree can be handled as a separate feature request) and just look at your statement of the "desired feature":

    Full account (multiple shared vaults with the ability to set the default save to a shared vault) and a Personal vault that is completely private and can be totally disabled but can be enabled by the administrator at a later stage if required.

    That falls just a bit short for me, because (1) it forces the administrator to create the "shared between user and admin" vault that "replaces" the Personal vault, and (2) it requires the user to set that vault as his default. So let me instead try restating the feature request a different way, and see if it works for you. (In case you haven't guessed, I am trying really hard to find a feature definition that at least you and I can agree on, because then @brenty and the other 1Password folks can't keep saying "even you two can't agree on how the feature should work, so it's not something clearly defined that we can work on." :)) Here goes:

    1. Create a new kind of per-user vault --- call it Restricted --- that is read-write for the user and read-only for admins.
    2. Introduce the notion of a "Restricted" team/family member who gets a "Restricted" vault instead of a "Personal" vault.
    3. Allow admins to convert Restricted team/family members to Full members. When this happens, their "Restricted" vault becomes their "Personal" vault (and is no longer shared with admins).
    4. Allow users to convert their Full membership to a Restricted membership. When this happens, their "Personal" vault becomes their "Restricted" vault (and is shared with admins).

    What do you think of this compromise? You get the ability to turn off "Personal" vaults; I get automatic creation of an appropriate default vault. And business owners/parents everywhere get the ability to keep all entries for specific users accessible in case of emergency.

    P.S. Yes I realize that we could give every full member a Restricted vault in addition to their Personal vault. And I would be OK with that. But my gut says that it overcomplicates things: only one at a time is ever really needed.

  • @DanBrotsky I see where you are coming from now with this suggestion.

    Personally it's more than I require and is a step further than my suggestion (though I actually don't need anything at this stage anyway as my daughter is now old enough to have a full account). However, I can see that potentially your solution would make things easier for many 1Password admins in setting things up and administering them (I have an IT background so don't mind doing 'extra stuff' to set things up).

    I'm sure @brenty will give his take on what you suggested. :)

  • @DanBrotsky, @Martok , @brenty

    So I'll throw my hat in the ring so to speak since I too can see the need. Dealing with both kids and elderly parents. Right now I have been utilizing a shared vault for each person and then having to go on every machine and device and stating to use the created shared folder as a default. However, worried something might get messed up and things put into the "personal" folder to where we loose access or can't help/assist without that folder being removed. But. I see good solutions presented here.

    -Guest is not an ideal option and it seems we can all agree on that. It's too restrictive.

    Introduce the notion of a "Restricted" team/family member who gets a "Restricted" vault instead of a "Personal" vault.

    This is what needs to be Step 1. The system needs to add an additional role. So instead of just "Family Member", that gets changed to "Family Member - Full Access" and "Family Member - Restricted Access" gets added as a new role.

    Create a new kind of per-user vault --- call it Restricted --- that is read-write for the user and read-only for admins.

    "Restricted" to me means its something they aren't supposed to use, so maybe there is a better designation. I also don't care for the current private vault named "Personal". In looking what I have currently done, I have a vault with my kids name that was shared. So, maybe the answer is to change the name "Personal" to "Users First Name's Vault". So, the next question would be how would one know if this was a Personal/Private vault or one where its Restricted/Shared with the admin(s)? Well, the web interface clearly designates restrictions/who has access to what for a particular vault on the users dashboard, etc. This is clearly missing from the Apps themselves. For one, there could be a moniker added as a label for this vault. So maybe it says "imt's vault - private" or "imt's vault - restricted" or an icon. So this would be visible in the vault list on the apps themselves. As a side note for the apps: I think it would make things transparent for users to also add in the initials icons, to the right of the vault names, to show exactly who else, in the family, has access to that vault. If one just uses the apps, they have no way of knowing.

    I am also not clear as to why you would just want the admin to have read only access to the "Restricted" (personal) folder? I get the need for privacy as Martok has stated but I also see a clear reason to have full access at times as well. Even with read only access you can still login into a site and "change" their login credentials. Only thing you can't do is save those changes back to 1password. With that said< I would think it being shared with the Admin/Family organizer(s) would be the better route. Otherwise, I would think there needs to be a role where the Family Organizer has read/write for this restricted folder. For example, elderly parents who need assistance or help with creating or editing logins. revising security questions/answers to make their accounts more secure etc. Yes these things can be done with just using a shared folder, but then that doesn't remove the potential for storing items incorrectly into the "personal" folder, in error and have no ability to assist.

    Allow admins to convert Restricted team/family members to Full members. When this happens, their "Restricted" vault becomes their "Personal" vault (and is no longer shared with admins).

    I agree.

    Allow users to convert their Full membership to a Restricted membership. When this happens, their "Personal" vault becomes their "Restricted" vault (and is shared with admins).

    I like the idea of being able to do this. I see that you came at this from the user side. I also think you should be able to initiate a request from the admin side as well. However, in that case the user should get a popup indicating the requested change and require the user to accept changing their "personal" folder to a "shared/restricted" folder.

    Couple other comments:
    If there is a new "restricted user" then am I right that there wouldn't then be the need to have the ability to designate the "default vault" upon account creation for a user? Not sure. Thoughts?

    If restricted users are added, there should be another " Category" added in the apps as well as the dashboard where one can see any edits/additions/deletions made to logins by restricted users. One can sort by date modified in the apps. However, if you are looking at "All Vaults" you then have to click on each item to see vault name on the right. You can go into each individual vault, but again that is time consuming. It also doesn't indicate what changed nor by whom. That is something with the advent of teams/families that should have been added since the changes can come from numerous parties and that should be noted as to who made the changes.

  • rickfillionrickfillion Junior Member

    Team Member

    Wow. Allow me a second here to pick up my jaw up off the floor.

    This has been the most amazing thread to read through. Our forums are usually relatively nice, but this thread should basically be the gold standard in how to have a discussion. You're all awesome.

    The good news for you all is that the backend of 1Password.com could absolutely support these kinds of ideas. I saw mentions/concerns above about permissions not being fine grained enough in 1Password Families to do some of the stuff you're asking for. 1Password Families gets a bit of a simpler access control setup, but vault access could be configured almost any way.

    I think you're doing a bang up job of trying to distill this idea into a relatively simple concept that accomplishes multiple peoples' desires. Reading through this, and generally agreeing with what you're trying to accomplish... my primary concern is about the additional complexity that this would introduce. Not from the technical side, but educating parents on the differences between the various account types. We would absolutely want them to default to choosing something that provides some privacy for the user, so the two options shouldn't be equal. It's an interesting problem, as you've clearly already determined. :)

    I think there's some real merit to these ideas. I suspect that if we'd do something along these lines, we would try it out in 1Password Teams first (I'm sure you can think of ways that this would be equally valuable in a business scenario), and once we've worked on how to simplify the concepts and how to present them properly we could look at bringing the solution to 1Password Families.

    Thank you for the amazing read.

    Rick

  • @rickfillion

    my primary concern is about the additional complexity that this would introduce. Not from the technical side, but educating parents on the differences between the various account types. We would absolutely want them to default to choosing something that provides some privacy for the user, so the two options shouldn't be equal. It's an interesting problem, as you've clearly already determined. :)

    One way to accomplish this task is to make the default for families work the same way it does today. Thus, its in its most simplistic form as it exists today. Add "Advanced settings" or something similar in here you can turn these option on or off. Release notes would have a popup that states the new features that are available through the advanced settings. Everybody wins :) At least if its starts off this way, it could then be released to families then at the same time as Teams so that more advanced users/admin can try this out. It then can be decided if some of these options open up to more of the mainstream/default options for admins.

    I am curious about something else. This is the limitation of Families and I assume Teams then as well with the restriction to only have 1 personal/private vault for each user. In the regular apps you can have multiple (All private unless you choose to share them via dropbox/etc.) Usage for scenario for example was to segregate logins, like business and personal. Would this not apply still? An admin can create additional vaults and just make that user have the ability to access that vault, however then we are back to a vault that is not really private, since an admin can easily give themselves rights without notification to the user. I know you can tag items or even use folders, so maybe the thinking is that multiple private vaults aren't needed? Although always had those options in the standalone apps as well. Also, with version 6, you are no longer presented with the "folder" option when presented with the dialog to save the login like you were under previous versions.

    Hmmm. Maybe a possible solution is to incorporate the same rules as I stated above and if a vault is created with solely giving one user permission, then its treated as a personal vault. If an admin wants to change access, they must get permission from the owner. Assuming of course that the acct is then not restricted ;)

  • JacobJacob

    Team Member

    That could be one way of implementing it.

    In the regular apps you can have multiple (All private unless you choose to share them via dropbox/etc.) Usage for scenario for example was to segregate logins, like business and personal. Would this not apply still?

    In the hypothetical scenario, that would still apply. Vaults outside an account can always be created in the apps if you'd like.

This discussion has been closed.