How to set up emergency access

Carta
Carta
Community Member
edited June 2018 in Families

I've been using LastPass and they have an Emergency Access feature. It gives someone access to your account (vault) after a specified time period. If they access it, and I haven't blocked it during 24 hours, then their access can proceed.

I just signed up for a 30-day trial of 1Password. The only similar feature I can find is the Family sharing plan. So if something happens to me, then a family member can access the vault I've given them permission to access. So if I need someone to have access to everything, for example, then that's available to them all the time, from now and forever. I'd prefer not to put everything in their hands now, only if something should happen to me.

I could create a special vault just for them. But if I'm a goner, then I'd want them to access everything, not just a subset. Unless that subset contains a note on how to dig up the coffee can under the elm tree that's got the printed instructions to log in as me and have access to everything.

1Password doesn't seem as secure in that respect as the Emergency Access offered by LastPass. Or am I missing something here?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«13

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Carta: I guess it totally depends on your perspective (and threat model). I'd argue that someone being able to get access to my data by incapacitating me for a few days is not a security feature. :)

    But anyway, you're right that the way 1Password works poses a challenge to our digital legacies, even if it doesn't threaten our security. We're always exploring ways to make it easier without making that kind of sacrifice, but storing a copy of your Emergency Kit in a safe deposit box, or with your attorney, are just a couple of ways you can ensure that your loved ones can access all of your 1Password data if something should happen to you. There's definitely more we want to do in this area, but not at the expense of security or privacy. Thank you for your feedback!

  • Carta
    Carta
    Community Member

    Thanks, brenty. Exploring these forums linked me to a discussion of an "executor account/vault."

    The Emergency Kit is a kind of 2FA for 1Password. But being stored somewhere secure (bank safe deposit box) makes access more difficult and kind of voids the convenience of your software. I could keep the login/password of my Apple Keychain Access stored in the safe deposit vault and then have my emergency contact get on the bank's access list for the safe deposit box. So Apple's password solution would be sufficient and make your software redundant (nothing wrong with redundancy I suppose).

    LastPass has an Emergency Access feature. The protection there is, when accessed by my chosen access person, I'm notified and can reject it. I get to select the time period after which my non-response then grants them access to my account. 1Password's protection is placing the Emergency Kit in a secure physical location to which this person would also have access.

    Someone could incapacitate me for several days to make it through a LastPass wait period. But I think that's less likely than someone having an insecure phone allowing other people access to their 1Password account (which I'd have Family-shared with them) and thus having wide-open access to my account. Now I depend on their device security and habits.

    Your answer doesn't encourage me to make the switch. I'm still evaluating 1Password to work out the logistics of this issue.

  • It is definitely an interesting and challenging problem. I certainly wouldn’t argue that we’ve come up with the ideal solution for it, but I also haven’t been very impressed with what others are doing in this arena. Hopefully we can continue to brainstorm possible solutions.

    Ben

  • Carta
    Carta
    Community Member

    I think the forum discussion two years ago on an executor accounts, which the 1Password team member commented that that feature was being discussed and that many user requests had come in supporting something like it, shows your commitment to finding possible solutions. Anyway, thanks again for taking time to address this, Ben.

  • AGAlumB
    AGAlumB
    1Password Alumni

    The Emergency Kit is a kind of 2FA for 1Password. But being stored somewhere secure (bank safe deposit box) makes access more difficult and kind of voids the convenience of your software. I could keep the login/password of my Apple Keychain Access stored in the safe deposit vault and then have my emergency contact get on the bank's access list for the safe deposit box. So Apple's password solution would be sufficient and make your software redundant (nothing wrong with redundancy I suppose).

    @Carta: Just to clarify, the Emergency Kit isn't needed in most cases for you to be able to use 1Password; it's just there so that you have your account credentials if all of your authorized devices are lost, stolen, or destroyed. And similarly, keeping it in an appropriate place would allow your executor to use it to access your account under appropriate circumstances. There wouldn't be a high bar for you to access it, only others, as they'd need a court order or death certificate to get into your bank safe deposit, or for you attorney to give them your documents.

    LastPass has an Emergency Access feature. The protection there is, when accessed by my chosen access person, I'm notified and can reject it. I get to select the time period after which my non-response then grants them access to my account. 1Password's protection is placing the Emergency Kit in a secure physical location to which this person would also have access.

    That's just what I was talking about. That would enable someone to hold you and/or your loved ones against your will to gain access to your data. It may be that you're not at risk for something like that, but domestic abuse is not uncommon. So it's not something we take lightly.

    Someone could incapacitate me for several days to make it through a LastPass wait period. But I think that's less likely than someone having an insecure phone allowing other people access to their 1Password account (which I'd have Family-shared with them) and thus having wide-open access to my account. Now I depend on their device security and habits.

    That's not quite accurate. 1Password's security doesn't depend on someone not having access to the device. I can give my phone to a stranger after unlocking it, but they will not be able to access anything in 1Password unless I unlock that for them too. Certainly at that point they could install malware on it and then all bets are off: someone else controls it. So it wouldn't be safe to access data in 1Password on that device anymore, since it would have to be decrypted in order to do so. But otherwise the data will stay encrypted and cannot be decrypted by the attacker without the Master Password. So it's not all bad news.

    Your answer doesn't encourage me to make the switch. I'm still evaluating 1Password to work out the logistics of this issue.

    I'm sorry to hear that, but I understand completely. It would be nice if we had an easy solution to this problem. It's something we're very interested in, and we're always open to suggestions.

  • Carta
    Carta
    Community Member

    Thanks for the detailed answer. Lots to think about.

    If I create an "Emergency Vault" and share that with one or two people, could that vault have an email notification that it's been accessed? Or perhaps an access log that I can read? If I turned that (proposed) feature on with a particular vault (my emergency vault, for example), then 1Password could automatically email me that it's been accessed by parties to whom I've granted access. The email might not even need to specify who (their email or account name) but simply that it's been accessed. Then the ball is in my court to query them or to modify who continues to have access to it or make changes to my own account or to important logins (banking, etc.).

    It's sort of like LastPass Emergency Access but not an "active" feature controlling access. It's "passive," sort of like some software sites when you change your login/password and they email you that a change has occurred. It's then up to you to contact them if the change is unauthorized. In your case, I wouldn't contact 1Password but instead find out who accessed that vault and why.

  • Mikri
    Mikri
    Community Member

    I am also waiting some new 1P features for this need ...
    So a bit brain storming also from me 😊
    …. what about that if this pre-authorized ”Emergency Vault" is accessed by authorized persons then owner will get notification like mentioned but then there is pre-defined time (defined by the owner) to revoke that vault access. If not revoked then those authorized users could access after that defined grace period. So not full access for all data but access for selected “Emergency Vault” and not direct access but instead delayed access.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2018

    Thanks for the detailed answer. Lots to think about.

    @Carta: Defnitely. There's no simple, one-size-fits-all solution, but this is an important topic.

    If I create an "Emergency Vault" and share that with one or two people, could that vault have an email notification that it's been accessed? Or perhaps an access log that I can read? If I turned that (proposed) feature on with a particular vault (my emergency vault, for example), then 1Password could automatically email me that it's been accessed by parties to whom I've granted access. The email might not even need to specify who (their email or account name) but simply that it's been accessed. Then the ball is in my court to query them or to modify who continues to have access to it or make changes to my own account or to important logins (banking, etc.).

    Whoa. You just blew my mind. What you're proposing isn't possible, but something very close to it is. It isn't a perfect solution, and may need to be thought through more fully, but I think it might suit your scenario here. With 1Password Families (or Teams/Business), along with the "regular" users you invite, you can also invite people as "guests". These accounts have access to a single vault you share with them. What you could do is send yourself a guest invite, setup the account, and then give the account credentials to someone for emergency situations. You can put whatever you want in the vault you share with that account, and even make it read-only. But the key here is that since you setup the account with an email address you control, you'll get an email notification if and when someone accesses it on a new device. There are some pitfalls there (you might miss the notification, and at that point the cat is out of the bag anyway), but you might find that useful. Let me know what you think.

    It's sort of like LastPass Emergency Access but not an "active" feature controlling access. It's "passive," sort of like some software sites when you change your login/password and they email you that a change has occurred. It's then up to you to contact them if the change is unauthorized. In your case, I wouldn't contact 1Password but instead find out who accessed that vault and why.

    We don't have that kind of granularity to notify of you of someone accessing a vault per se, but with a guest account as I outlined above, you effectively get that since only a single vault is available to the guest account. It's not something I'd considered before. We have some fairly granular reporting features in 1Password business accounts, but that isn't something we've added to 1Password Families since that's overkill for most personal use cases. We don't want to overwhelm people by complicating things. It's an interesting thing to contemplate though, from a different angle. Thanks for bringing this up!

  • AGAlumB
    AGAlumB
    1Password Alumni

    I am also waiting some new 1P features for this need ... So a bit brain storming also from me 😊 …. what about that if this pre-authorized ”Emergency Vault" is accessed by authorized persons then owner will get notification like mentioned but then there is pre-defined time (defined by the owner) to revoke that vault access. If not revoked then those authorized users could access after that defined grace period. So not full access for all data but access for selected “Emergency Vault” and not direct access but instead delayed access.

    @Mikri: If I'm understanding you correctly, that's what Carta was referring to in the original post. The concern with that is someone could use that feature to get access to your data by incapacitating you, or even just cutting you off from your email temporarily. Having it only grant access to a specific "Emergency Vault" you setup is an interesting twist though. The earlier issue still stands, but compartmentalization may be a useful tool in whatever else we come up with. Thank you for the feedback! :)

  • Carta
    Carta
    Community Member

    Brenty...your solution sounds like it would work well. I don't see it being more complicated than the set up LastPass requires for Emergency Access. And these guest vaults would only have what you wanted that (or each) person to access rather than offering access to everything. Thanks for thoughtfully responding!

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Carta: You're very welcome! Thanks for starting this conversation. Though the topic has been discussed before, everyone has a different perspective. That's what makes it so interesting, but also so difficult to have a solution for everyone. :blush:

    Indeed, it sounds like it would help in your case. And it's not terribly complicated. But I know that wouldn't be suitable for many other folks (myself included) since an email notification may be too little too late. I wouldn't recommend it for everyone. That's why I'm not sure it's something we should codify and promote. But it's another piece of this puzzle which we can hopefully build into a cohesive solution in the future. Cheers! :chuffed:

  • oshloel
    oshloel
    Community Member

    I took a little different approach to this dilemma and would be happy to have someone point out the weaknesses I might have missed.

    My wife and I invited our 2 adult kids to become regular family members in our subscription so they could have their own personal vaults and become familiar with 1PW. I then set up a Key PW Info read-only vault we share with them. That vault contains the pw info (but not secret key info) for accessing our respective 1PW accounts along with pw info to access our personal laptops, home server, etc. from which they could access our full 1PW personal and shared vaults (containing everything including our acct secret keys) - but only if they have physical access to one of our machines for at least the first access to obtain our secret key.

    The thought here is that they or someone unauthorized accessing their 1PW vault & our Key Info vault could not access our core vaults without also gaining physical access to one of our laptops or home server; which, wouldn't be that easy for someone but the kids could do if we were goners...

  • AGAlumB
    AGAlumB
    1Password Alumni

    @oshloel: Wow. I really like that approach. Just to summarize and confirm my understanding:

    1. Master Password saved in vault shared with (adult, I'm assuming) kids
    2. Secret Key accessible inside the app with physical access to an authorized device
    3. Something bad happens, kids use Master Password to unlock app on parent's device
    4. Can then get Secret Key to access stuff on their own devices

    I guess the potential pitfall I see is that something bad might happen to your devices along with you, in which case the kids will likely be locked out of your stuff forever. So while it could work, that could be a drawback. Let me know if what you think!

    I'm still partial to the safe deposit box and/or attorney approach since there's a legal framework in place that supports that: your heirs would get this stuff just like they do anything else — property, inheritance, etc. There just isn't a good system in place in society to handle digital legacies right now, so in many cases the most reliable option is to have digital stuff piggyback on legal. Let's hope this stuff catches up eventually though...

  • oshloel
    oshloel
    Community Member

    @brenty: Yes, you have it correct in points 1 - 4. To your other thoughts:

    1. Yes, destruction of one's devices along with them could be a potential issue; particularly, with laptops and phones that could well be with them in an auto or plane disaster. However, in our specific case, we also have the 1PW app on our mac mini home server (which backs up offsite via Backblaze) and an old laptop that doesn't travel with us. So wiping out everything including us comes down to scenarios like a meteor hitting the house while we're in it: possible, but highly unlikely.

    2. I haven't given emergency kit copies to our estate lawyer or executor but am still thinking about it for reasons you mention. The primary issue is getting paper revisions to such 3rd parties when anything changes. We do have a fireproof home safe in which I have put paper copies as a fallback if all digital devices vanish or are destroyed. Access info is in the key info vault shared with the kids, providing the same pw and physical access requirement as with any of our devices.

  • So wiping out everything including us comes down to scenarios like a meteor hitting the house while we're in it: possible, but highly unlikely.

    It seems even then as long as you have your off-site backup configured correctly you should be protected. Unless the meteor wipes out Backblaze as well, of course. But I think we may have bigger issues if that is what happens. :)

    The primary issue is getting paper revisions to such 3rd parties when anything changes.

    By having your Emergency Kit or credentials in a vault that is only accessible to a guest account that you create, and then giving the Emergency Kit for those guest credentials to your estate lawyer/executor, you alleviate this problem. There really wouldn't be any reason to change the guest account credentials unless you change lawyers/executors, but in that case I'd imagine you're going to have some contact with the new folks anyway.

    Thanks.

    Ben

  • Jaharmi
    Jaharmi
    Community Member

    I appreciate the OP's question and the thoughtful replies in this thread.

    I've been using 1P for a number of years and have been concerned about this issue. I recently learned of the LastPass Emergency Access feature and it sounded great initially, without knowing more of its details.

    The "held at ransom" scenario — while not necessarily likely — is something that should be considered carefully. It was not a scenario that came immediately to my mind.

    I'm also using 1P for Families now and look forward to codified support for emergency/executor access in the future. In the meantimes, I'll definitely think about the ideas presented here.

    I could certainly see the possibility of a range of related emergency/executor features that are presented to the user/family. The administrators of the family account could then consider them and the scenarios where they would be useful or where/how the protected data could be attacked — and choose which one(s) to activate.

    Any emergency/executor feature should probably also take into account the "vacation" mode that 1Password introduced.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Jaharmi: I agree that an actual ransom scenario is going to be unlikely for most people, but domestic violence is, unfortunately, not rare at all. There are a lot of other things to consider as well, not just for us here at AgileBits as we continue to develop 1Password, but also for each of us individually as we plan for the future. So in both respects it's really important to have a dialogue on this topic. Thanks for weighing in!

  • Stephen75
    Stephen75
    Community Member

    After reading this thread, I think I have a better idea. Here is the steps:
    1. 1P user (not only 1P family user) set up a emergency contact’ s mailbox, it could be everyone, not only 1P users. The emergency contact is not aware of this by this time and the following steps will only be applied when this is settled.
    2. 1P user write a special security note for his emergency contact.
    3. When 1P user hasn’t have access to his 1P account for a certain time, his mailbox used for registration of 1P will receive an e-mail reminding him to log in 1P.
    If 1P user log in his account within 48h, nothing happens.
    Otherwise, the pre-settled emergency contact’s mailbox will receive a e-mail, and the content of the e-mail is the security note in step 2.

    I think this step has some advantages like:
    1. It is an universal feature for every 1P user instead of 1P family users.
    2. It won’t be abused since the emergency contact don’t even know his role until the last minute.
    3. If 1P user and his device have something wrong at the same time, you can still rely on it.
    4. You can set up different security note for different contact seperatly, this could be useful.
    5. Not every you trusted contact is a 1P user, this problem can be solved too.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Stephen75: Hmm. A couple things are unclear to me. Where is the "security note" being stored, and how does the "emergency contact" know how to access it?

  • Stephen75
    Stephen75
    Community Member

    @brenty:
    Thank you for replying, here is my answers:

    1. My mistake. I think I should call it Secure Note since it could just be stored with other secure notes.
    2. Emergency Contact don't need to and won't have access to my 1P account or my vault, they will receive an e-mail with the content of the secure note pre-stored and assigned to them.

    How do you think of it? Maybe I could make it better.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Stephen75: If I understand you correctly, that doesn't seem to be a good option, for a few reasons:

    1. The Secure Note would be encrypted in 1Password, but email is not secure; its contents would be sent in the clear, and could be intercepted by anyone.
    2. Aside from the fact that it's insecure, what would the mechanism be to have the info exported from your 1Password vault and sent in an email?
    3. Additionally, assuming that were possible, how would that mechanism determine if/when it should send the info via email?

    It's an interesting idea, but I don't see a way it could work in practice at this point.

  • Stephen75
    Stephen75
    Community Member

    Here is my idea to solve these problems. I know it is not perfect, but it can solve some problems above solution can’t.

    1. Instead of sending the whole secure note to emergency contact’s mailbox, a certain link could be generated and sent to the mailbox. Through that link, the emergency contact can visit a certain webpage which is encrypted. That would prevent any ISP, mail service provider read the secure note.
      But this would raise a new problem, any ISP or mail service provider could have access to the link as well! So, when the emergency contact have access to the webpage, he should be asked to be verified. The verification method could be verification code in another e-mail or some pre-set questions.
      Also, the link should only be available for a certain time, like 1 month. After that time, the link should be expired. The emergency contact could also decide to expire the link immediately if he think he has finishing reading it.
    2. Could you tell me more about the difficulty of the mechanism of exporting? I am not aware of it.
    3. When 1P user hasn’t have access to his 1P account for a certain time (he can set that time, like 1 week or 1 month) , his mailbox used for registration of 1P will receive an e-mail reminding him to log in 1P.
      If 1P user log in his account within 48h, nothing happens.
      Otherwise, the mail should be sent.
  • XIII
    XIII
    Community Member

    The verification method could be verification code in another e-mail

    Don't you still have the same problem as before? (email is not secure)

  • Lars
    Lars
    1Password Alumni

    @Stephen75 - this topic is a critical one to make sure we do correctly, because the consequences of doing it in a way that has holes or edge cases could be that no one could access your data in the event of your death. That's something we can't risk, which is why we haven't tried to put forth a solution for this, yet. As brenty mentions up above in this thread, using either a safety deposit box or a lawyer is currently the best method of ensuring digital legacy with respect to 1Password. But there's definitely room to try to figure out a more-automated solution; the only caveat needs to be that it works reliably in all cases. I don't know of a foolproof way to do that just yet, but one of the things I'm sure of is the principle of keeping it simple. Too many emails/tokens/vaults/etc and the potential for edge cases and failures increases dramatically. Thanks for thinking critically about this scenario and sharing your thoughts on the topic! :)

  • Stephen75
    Stephen75
    Community Member

    @Lars @brenty
    Thank you for replying. You are right, security is some sort 'all or nothing' stuff. I know my solution is far from good.
    But I am still looking for this kind of feature desperately, it's going to be very helpful.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Stephen75: Thanks for following up! The difficulty I'm seeing with #1 is that, as mentioned above, you'd be relying on email to exchange information, and email is not secure. Also, someone else getting the link is fine if they can do nothing with it without an encryption key of some sort...but then we're back to the chicken/egg situation: how do you send them that information securely via another channel? You could use something like Telegram, but at that point, you might as well just send them the information you want them to have instead of just a means to access it. After all, you've already setup a secure connection with them.

    As for #2, exporting data is a manual process, and anything taken out of 1Password is no longer secure.

    Finally #3, encryption has no time limit. Someone either has the keys to decrypt the data or they don't. You could change it later, but that would not affect any cached copy of the original encrypted data. And this can't be automated. You'd need to do it yourself or the keys to decrypt it would be lost to you (and you could not pass them on to someone else).

    It's a neat idea, but just isn't practical currently. It's possible that some new technologies might help in the future, but we're not there yet. As things are now, 1Password Families (or a business account) makes secure sharing possible since we can "hide" the complexities of exchanging public keys in the invitation/account creation process. Everyone who is part of the membership plan gets the public keys from others and gives their own when setting up their account, so that any vaults shared with them can be encrypted using those keys and decrypted by them. It's possible we could find a way to leverage all of this in the future to do something in this area though, so it's good to brainstorm. Cheers! :)

  • ccboth
    ccboth
    Community Member

    I would also love to see this kind of feature built in. Especially with "family" accounts.
    If there was a feature where, in the app (so that it's contained behind 1Password security), you could trigger a code release, that would be amazing.
    Scenario:

    • I set up a timed 'code release' that is shared with my wife who is part of my 1Password family account
    • After 15 / 30 / 60 days (user choice), I get a notification in the app to "keep" my vaults secure
    • If I do NOT respond, my vaults, or a code to my vaults, is released to my wife
    • She can now access everything in my 1Password

    So... obviously if something happens to both of us at the same time, this falls apart. But based on what I've read in this thread, this additional feature to family accounts would be awesome.
    Please consider this for future releases!!

  • hanspaint
    hanspaint
    Community Member

    What I did is simple. I put the emergency kit on a password protected USB stick each of my 2 adult kids have a part of the password the combination is the password to unlock the USB stick. The data on the USB stick will be erased if you try to unlock the USB stick a number of times with the wrong password.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @hanspaint: That is pretty simple. I like it. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @ccboth: Thanks for the feedback! I'm not sure that's something we could recommend to all 1Password users (which makes it tough to justify) for the aforementioned reasons, but it's something we can consider. :)

This discussion has been closed.