Set up Family Sharing but app is in read-only mode on other Mac

Hi @tasarz,

Sorry to hear you're also having some trouble! This can sometimes be a bit confusing because "purchased 1Password from the App store" can actually mean a few different things. For example, the Mac App Store version of 1Password has been a free download since version 6.6 (released in February), but will be in read-only mode unless you paid for it on the Mac App Store before it was free to download, or you make a new in-app purchase to use it as a standalone app, or you sign up for / sign into a 1Password.com account. Another thing that can make it confusing is that if you downloaded 1Password from the Mac App Store for the first time in the last few months (since February), the Purchased tab of the Mac App Store will show 1Password as a "purchased" app, even if you haven't paid for it.

If you launch the Mac App Store on your home Mac and check the Purchased tab, what is the date shown next to 1Password? If it was before February 2017, it sounds like you definitely paid for 1Password on the Mac App Store. If the date is in the past few months, that means you downloaded it for free and may or may not have paid for the in-app purchase to use the standalone app. Are you able to edit items in 1Password on your home Mac, and can you use the 1Password extension there to fill web forms?

Also, can you clarify the steps you took to install 1Password on your work Mac? You mentioned this:

I have enabled Family Sharing in iCloud, and when I install 1Password using my home account's credentials it shows up as "read-only" on my work computer.

Did you sign into your home Apple ID in the Mac App Store on your work Mac? If so, it should have recognized your purchase and you wouldn't need to use Family Sharing. Or if you added your work Apple ID to your home Apple ID's Family Sharing settings, that won't work if you downloaded 1Password in the past few months and paid for it via in-app purchase, because in-app purchases aren't supported in Apple's Family Sharing feature.

As you can tell, this can all be a bit confusing (even for us), especially without knowing more details about the steps you took or when you downloaded/purchased 1Password. If you can let us know about all that, we should have a better idea about what's going on. Thanks in advance! :)

Thanks @tasarz! I hope you don't mind, but since this is a slightly different situation than the previous thread, I've moved your post to a new discussion so we can focus on this specific issue.

It sounds like you recently added your work Apple ID to Family Sharing for your home Apple ID in order to share the purchase from 2011. Unfortunately, that won't work now that 1Password is free to download with an in-app purchase option. Even though you bought it back when 1Password was still a "paid up front" app on the Mac App Store, it won't work to try to share that purchase for the first time with a different Apple ID now. I'm afraid we don't have control over that - it's the way Apple's Family Sharing feature works (or doesn't work, in this case) for apps in this particular situation.

I'm sorry I don't have a better answer for you about that! However, a workaround for this would be to delete the 1Password app from your work Mac, then sign into your home Apple ID on your work Mac and reinstall 1Password from the Purchased tab in the Mac App Store. Open the app to make sure it's no longer in read-only mode, then you can switch back to your work Apple ID in the Mac App Store. The only drawback is that you would need to switch to your home Apple ID again in order to install an update for 1Password.

Alternately, you might want to consider signing up for a 1Password.com account, which will make this all much easier now and in the future. With an account, it doesn't matter which Apple ID you originally used to buy 1Password or whether you download it from the Mac App Store or from our own website, because signing into your account in the 1Password app would fully activate it. There are also many other benefits, which you can read about here: What are the benefits of a 1Password membership?

I hope this all helps to explain what's happening and what your options are, but please let us know if you have more questions about that. Cheers! :)

Hi @ebarronh,

I'm sorry if this caused any inconvenience for you! However, I think you may have misunderstood some things I mentioned, so I'd like to help clear that up:

In the past we could pay full price up-front and then share our purchase through the Family Sharing program.

Yes, although keep in mind Family Sharing is an Apple feature that applies to certain purchases made through the App Stores, and is not a 1Password feature. In other words, although it's a feature that worked with 1Password, it's not something that we ever added to the 1Password app - it's just the way the App Store works.

Unfortunately, Apple decided not to include in-app purchases in Family Sharing when they introduced it a few years ago. Likewise, there are other types of purchases through Apple which cannot be shared, as explained on Apple's support site here: https://support.apple.com/en-us/HT203046

But now that you decided to make the app free, it won't be recognized as a valid purchase in other family member's apple ids.

Not necessarily - it really depends on a few things. If you bought 1Password from the Mac App Store and shared it with family members when it was still a "paid up front" app, that should still work with those family members. But as far as I know, if you didn't share 1Password with family members before, Apple won't let you do it now, regardless of when you made the purchase. Personally, I'd really like for that to depend on the original date of purchase, but it seems as if that's not the case (and it's something Apple would need to change).

If you paid for 1Password as a standalone app through the in-app purchase option, then it definitely isn't eligible for Family Sharing because Apple doesn't include in-app purchases in Family Sharing.

Forcing us to purchase one of your Family Plans?

No, not at all. 1Password Families is a great option and there are many benefits to a 1Password.com account, but the Mac App Store version of 1Password can still be purchased as a standalone app via in-app purchase.

Why didn't you start offering the free app as a separate one, then let us share our Pro features with Family as always?
[...]
If you want, release another version or stop giving us updates but don't take away our ability to share Pro features with family!

Are you referring to the Pro features in 1Password for iOS? Those have been an in-app purchase since before Apple started Family Sharing, so nothing has changed there.

That's what we signed for, guys!

Do you mean you had purchased 1Password from the Mac App Store when it was still a "paid up front" app? If so, then as I mentioned above, the family members you shared it with back then should still be able to share it now.

Again, I'm very sorry if changing the Mac App Store version of 1Password to a free download with an in-app purchase option caused problems for you. Our goal wasn't to take away the ability to use Family Sharing (indeed, it should still work now if it had been working before), but due to the way the Mac App Store works, it was an unfortunate side-effect.

Please let us know if you have additional questions or concerns about that. Cheers! :)

@fabianzeindl

Creating a secure app is extremely hard, I trust 1Password to do that.

Thanks! :) In the eleven-plus years we've been developing 1Password, we've never had a breach of a user's encrypted data, whether from local vaults or 1password.com.

But keeping a computer-network secure is impossible.

Arguably. Since that's your view, I won't get into all the lengths to which we go in order to keep miscreants and thieves out of our servers themselves. However, I will point out that although 1password.com is relatively new, it's far from the first "cloud-based" sync option 1Password users have had. In fact, many if not most of our users have been merrily using either Dropbox or iCloud for years, to sync their 1Password data between devices (and in the case of Dropbox, to share it with family members). This has been available since version 3 for Mac (2009), and we've still never had a breach of encrypted data in all that time.

That's not to suggest 1Password is invulnerable in all circumstances, forever. Instead, it's merely differing with your idea that storing encrypted data in "the cloud" constitutes "bad security." If that were the case, given the size of our user base, I'd think that we'd have had something less than a perfect record with our lengthy history of 3rd-party cloud-based sync solutions.

Especially when every hacker knows that their are many vaults with potentially insecure passwords lying around to brute-force them.

Indeed, we were quite aware when developing 1password.com that the presence of many users' encrypted data all stored on the same servers might prove a tempting target for some attackers. Fortunately, 1Password has always been developed - since long before 1password.com - with the assumption that an attacker has ALREADY gotten hold of your data file. Real security doesn't come through the obscurity of trying to hide one's data from potential attackers by not "putting it in the cloud," it comes through good security design. That's why we go out of our way to be transparent about our security protocols, even to publishing a security white paper on the subject: so anyone can see for themselves.

That's why, for 1password.com, we created 2SKD (2-secret key derivation), using the Secret Key, because it means that even IF our servers are breached and an attacker makes off with the encrypted ciphertext that (if decrypted) would be a user's 1Password data, the attacker would need to not only know, guess or crack the user's Master Password but also a 26-digit string of random alpha-numeric characters which was created on the user's device when they signed up for 1password.com, and has never been transmitted to us in any form. It is these two "factors" if you will that together derive the AES256 key which decrypts a 1password.com user's data. That means even the worst, easiest-to-crack Master Password would be strengthened by a 26-character string of unknown data, giving even that weakest password an entropy of 128 bits, minimum. If that's below your comfort threshold then by all means you should look for a password management solution that better suits your own assessment of your threat model. We'll be happy as long as we know you're using something other than sticky notes or an Excel spreadsheet. :)

And in truth, you're more than welcome to continue using 1Password with only local vaults, not synced through 1password.com or any other cloud-based sync service.

@fabianzeindl - thanks for that. Were you able to restore your Mac App Store purchase by installing from the Purchased section of your Mac App Store account?

@fabianzeindl No. Try it: one of our own 1Password accounts is https://agilebits-inc.1password.com. When you visit there, are you asked only for your Master Password? Or are you asked for an email address, Master Password and Secret Key?

In any given browser, once you sign in the first time to an account (i.e. - provided all three of those pieces of data), the browser will save the email address and the Secret Key you entered, so that subsequent uses of that browser will require only the Master Password to login...but if you're using an unknown computer (or even, really, any computer you don't own), make sure to check the box that says "This is a public or shared computer." This will prevent any local storage of your email address and Secret Key.

Of course, it won't prevent something like a fully-compromised computer on which there is a malicious rootkit installed from capturing anything you input (including your Master Password or Secret Key) -- but if you suspect or even worry about such a thing on any given computer, the solution is: don't access your most-sensitive 1Password from that computer. If it's the computer at your mom's house, you can probably trust it enough that just checking the box I mentioned is enough. If it's a squirrely-looking PC at Hackers-R-Us Internet Cafe, then probably not. :)

Also: re-installing, resetting or emptying the cache of any browser will dump any saved Secret Key as well.

@fabianzeindl: On behalf of Lars, you're most welcome. Glad he was able to help. :chuffed:

A follow-up to the pricing discussion: Can you tell me why the iOS was sold twice, I paid
7.99€ for 1Password for iPhone, v3.6.5 in 2012 and also
7.99€ for 1Password - Password Manager and Secure Wallet, v4.3.2 in 2014

You purchased two different versions. Version 4 was not free, so it was a separate purchase from version 3.

Regarding the security discussion: Thank you for the lengthy write-up, I did not know about the security-key, I will certainly factor that into my consideration of signing up for the service. Also I'm not against storing encrypted data in the cloud. I had my vault at dropbox (which got hacked) and at iCloud as well. Since the dropbox-webvault didn't use a security-key at the time (does it now?) that was probably more insecure than using 1password.com.

Not insecure, but certainly when building our own service which relies on hosting the data, we wanted to add an additional layer.

My primary concern is the concentration on a single highly-visible provider for storing this data. Hackers might access the network, download all the vaults and keep them somewhere in case some part of the crypto is weakened in a couple of years enabling bruteforcing. And the point is you can never be sure that hasn't already happened.

Indeed. That's our primary concern as well. We operate on the assumption that someone could break into our server and steal everything we have. So, with that in mind, we do two things:

1. We never get the "keys" to user data, not even when you sign into the website.
2. Both the Master Password and Secret Key are used to encrypt the data. That way an attacker who steals the database from us cannot perform brute force attacks on people's Master Passwords — which certainly not everyone will be using a strong one.

This issue is the same for other cloud-providers, but I figure hackers rather attack a juicy target like 1password.com where they don't have to download or search through terrabytes of irrelevant material.

Totally. We need to protect against smart attackers. The stupid ones are less of a concern. ;)

Anyway. Like stated above, I will reconsider signing up. Thank you for the support.

Likewise, thanks for your interest! Be sure to let us know if you have any other questions! :)

@fabianzeindl: Thanks so much for taking the time to let us know you're enjoying it! We don't often hear from folks when everything's working. We're here for you if you ever need help though (but I think you know that!) Happy new year! :chuffed: