Recovery vulnerability?

My understanding has been that 1Password prevents me, even as a family admin, from seeing the non-shared vaults of other family members.

That said, isn't it trivial for me to access them if I (1) can get even fleeting access to their email, and (2) initiate recovery?

Sure, they'd know because they'd have to use a new account key. But I would have succeeded in compromising their info without ever knowing their account key or master pw.

Am I missing something?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • The same would apply for any service that sends an email for recovery purposes e.g. password reset

    If they can't secure their email then its not the fault of the service initiating a recovery to said email

  • brentybrenty

    Team Member

    @crichman: defiant makes a good point: the email account is the weak link here, and that's why it's important that we don't share access to our information with just anyone. Until there's a better, ubiquitous communication channel than email, the best we can each do is to use a provider with good two-factor authentication that notifies us if there's a new login. While they are certainly lacking in some areas, this is one thing Apple is doing well — albeit after some high profile failures (and keep in mind that this is different from their two-step authentication).

  • defiantdefiant
    edited December 2016

    @brenty it'd be cool to see 1pw use a similar type of 2FA using your mobile apps - e.g. new logins via <my/families/team> present a popup to allow or deny the logon on ones phone

  • brentybrenty

    Team Member

    @defiant: If we go that route, I agree: I really like Apple's implementation. I think it's confusing because they offer both two-step and two-factor (as other providers often offer both SMS and TOTP options), so we'll definitely want to avoid making it overly complicated as well. The easier it is to use, the more users can benefit. Cheers! :)

  • I hope/think they're phasing out two step in favour of the newer two factor they added

  • brentybrenty

    Team Member
    edited December 2016

    I hope so too. I think that it requires a fairly recent device and current OS, but the new two-factor is more secure and a much better user experience. :)

This discussion has been closed.