Powers of Family Organizers / Multiple "Private" vaults

jordvisser
jordvisser
Community Member
edited January 2019 in Families

Hi,

I'm in the process of looking into 1P-families, for a family of five.

In my experience with the controlpanel it looks like the main account owner and other user with higher privileges can delete a vault without the vault-owner's consent, and thus deleting all their passwords/data without giving them a prior notice to move their passwords/data.

I see this a problematic for a Family type account, as we all know Families can have their moments.
Next to that, if a member of the family wishes to move on they have to go trough the process of creating a new account and move all theire
passwords/data.

Why not make it all separate accounts which are linked to a Family? .. so they can only be disconnected & not deleted.
What is Agilebits's view on this?

For me this is a make it or break it thing, this kind of data belongs to one person unless this person willingly and knowingly transfers or share them (which is not all to obvious right now)

2nd: The same goes for the suspension of accounts.

With kind regards,
Jord Visser


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«1

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jordvisser: Thanks for reaching out. Indeed, it's a complex issue. The reality is that we do not give anyone power to do something like that though. The account Organizer is the owner and creator of the account, and probably the person paying for it, so they inherently have a lot of power since they can not pay the bill, add or remove people, or delete the account altogether. I don't see any way around that, as we can't very well make account owners ask us for permission to change their own accounts. I'm not even sure what criteria we could possibly use to make that kind of a determination, and really it's none of our business. But you raise some really good points:

    Why not make it all separate accounts which are linked to a Family? .. so they can only be disconnected & not deleted. What is Agilebits's view on this?

    The reason it doesn't work like this is because it's necessary for family members' accounts to be under the same plan in order for them to share data securely. (Also, there's a convenience to having someone who's Otherwise you'd each need to do something like manage your own public/private PGP/GPG keys, exchange public keys via a separate channel, transmit encrypted data back and forth using messages or email or something, and then use each others' public keys to decrypt it. 1Password Families (and Teams/Business) uses a common plan to be able to do key exchange automatically in the background as part of account creation, transparent to the user. Now, if you don't care about sharing vaults securely (or are okay with doing key exchange and transmutation yourself), you can simply each use individual 1Password.com memberships, and then everything will be separate: account ownership, billing, and all data.

    For me this is a make it or break it thing, this kind of data belongs to one person unless this person willingly and knowingly transfers or share them (which is not all to obvious right now) 2nd: The same goes for the suspension of accounts.

    Agreed. Just like you're not going to give just anyone a key to the car or house, it's important to only accept invitations from (or promote to Organizer status) family members who are mature and dependable enough to be given that responsibility.

    One thing worth mentioning though is that while a family Organizer has the power to create and remove shared vaults, and change permissions on them, they (cryptographically) never have access to the Private vaults of others. Each 1Password.com account has its own Personal/Private vault which is only accessible to that person using the Master Password they choose. So while you do need to be careful you you put in charge since they can suspend or delete (or invite people you might not want them to) others under the plan, it's never possible for them to get to the stuff in another person's individual vault.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • jordvisser
    jordvisser
    Community Member

    @brenty: Thank you for the response! You sure have some quick typing skills ;)

    If I understand the technical argument correctly, the Family account is the outer security shell in which each member has it's own security shell so they can move data from their own shell into the family shell to share it.
    Because the outer shell is owned by one legal person, they have the say all over all contained data because of legality reasons (and the current technical setup).

    The point about maturity is a good one, but i'd like to counter it:
    A family with non-technical parents, a wizkid child and two other siblings.
    None of them have the technical knowledge/background to grasp how 1P might work on the inside.
    The wizkid child convinces his Dad that a password manager is a must these days, and so the whole family goes into a family account.
    A couple of years go by and the parents have a nasty divorce.
    The dad gets so furious one evening and deletes the vault of his wife and the child(ren) that went with her.

    What i'd like to point out that you can never know what will happen in the future...

    So if my understanding is right, and a Personal vault lives within it's own shell in the Family vault, why not copy out that part upon deletion so the the rightful owner of the accounts that data is giving access doesn't lose all this vital information.
    Maybe even spilt the ownership all together and let the family owner subsidize the member accounts, so the member can be given the right of pulling out of the Family shell at their own will.

    I had no concern a personal vault could be read unencrypted by any of the familyowners/-members ;) It was more in a sense of having the ultimate power to delete something, that's the most primal power of digital ownership.

  • Lars
    Lars
    1Password Alumni

    @jordvisser - You’re not wrong about what can happen in a situation where one person has ownership rights over anything shared (not just a 1Password account) and others don’t. This is the sometimes-ugly nature of what can happen in a family. The setup works (in terms of 1Password, anyway) much the same as it does for our Teams and Business offerings: Owners have all rights, Admins have most rights, and everyone else has...what those first two groups give them. And it can be taken away at any time, whether it’s by a corporate manager or a vindictive spouse. But we never get questions about the morality or propriety of 1Password Teams, however, because no one expects to have rights to data they didn’t own in the first place in an employment situation, just as no one expects to be able to continue using their company email account once they’ve left a job. But a family is definitely different.

    One of the reasons we price 1Password Families so attractively is that we have a spot in our hearts for families. A 1Password Families account is less expensive than even two individual accounts, and definitely less expensive than four or five of them. It’s also less expensive than our other “group” offering, 1Password Teams, would be to give 1Password to the same number of people. We want families to succeed and thrive; they’re the building blocks of our societies, in whatever configuration they take. But families aren’t individuals, and they’re not corporations or business partnerships. By their nature, they involve a lot more complexity than that - and yes, it revolves around mutual caring and trust. So when families fail - and they do, regularly - things can sometimes go spectacularly wrong.

    But when that happens, it’s a social and personal problem, not a technical one. Or at least: it’s not a problem technology can solve, even the most clever technology. We offer individual 1Password accounts as our least-expensive option for people who wish to rely on and formally trust only themselves. But there IS a level of trust in others that goes into most aspects of families, and so there also is in 1Password Families. There’s just no amount of technology (short of keeping things entirely separated) that would prevent one spouse from damaging the other. We’re getting pretty far afield here, and it’s not my place nor anyone else’s here at 1Password to act as philosophers or therapists or judges of other families’ stability. From a technological standpoint, there are undeniable, significant advantages to 1Password Families (like dead-simple sharing of items) that can only be accomplished technically in a group setup in 1Password. As brenty mentioned above, the way to approximate that among technically unaffiliated individuals would resemble something more like PGP - and even there, there’s no guarantee that someone you thought you could trust couldn’t send you malicious code as a PGP attachment. At base, the question is: can someone in a Family Organizer position damage the data or even eliminate the account of another member of their shared 1Password Families account? Yes. And if the thought of even the potential of that occurring, however remote it might be, outweighs all the undeniable advantages of 1Password Families, then individual accounts are probably the way to go.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jordvisser: Wow! Likewise, thanks for the compliment. I don't consider myself to be a fast typer, but I do a lot of it so maybe I am improving. :lol:

    Indeed, families can be messy, and I'm not talking about 1Password! I think since we've been focusing on account ownership so much it's worth pointing out that someone you share a vault with could do damage there too. Obviously it's not the same as being able to delete them, but there are risks both ways inherent in this. Ultimately that is a social problem, and not something that technology can solve. I know that it's tempting to want technology to solve all of our problems since it solves so many of them, but until our "families" are programmable we do need to be circumspect about who we trust with what. ;)

  • jordvisser
    jordvisser
    Community Member

    @brenty @Lars
    Thanks for the responses (and imdb tip ;) ), helped a lot to figure out how the 1P-Families works and is thought about by you guys.
    With my reasoning about my own passwords/data and knowing how the rest of the family thinks about them 1P-Families is not suited for us.
    So now onto the task get them to sign up for their personal 1P vaults ;)

    It's good to know you guys are so into your product! and I secretly hope I started a little fire for the next big change on the inner workings of 1P ;)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jordvisser: Thanks for the kind words, and your feedback on this. I do hope that someday we can come up with a way to offer secure intra-account sharing, so that it would become possible to share things between individuals without them having to join a family/team/business plan. But that's a huge technical and usability challenge because 1Password needs to do things securely and in a user-friendly way. Thank you for your encouragement. :chuffed:

  • rlh
    rlh
    Community Member

    I'm glad @jordvisser started this thread. It highlights a concern I have long had too (though as the Family Organizer I will hopefully never delete my wife's or kids' accounts in a fit of rage :) ). But even a simple miscommunication could be irreparable:

    Me: So you are moving out on your own now?
    Son: Yep
    Me: And you said you are getting your own 1Password account?
    Son: Mmhm.
    Me: And I'll remove you from the family account.
    Son: I suppose.
    Me: <deletes son's account>
    Son: I can't log onto 1Password!
    Me: Yeah, I deleted you since you have your own account.
    Son: WELL, I HADN'T DONE IT YET!!!!

    Okay, let's hope that doesn't happen either. But even absent tragedy or a farce, you don't make it easy for someone to leave a family and go out onto their own.

    Here's what I wish 1Password Families did:

    1. Family Organizer deletes account. 1Password says, "Account for <son> will be deleted when <son> logs on and confirms."
    2. Son logs on and is presented with, "You account is scheduled for deletion. Would like to a) confirm deletion, or b) migrate your data to a personal 1Password membership?"

    Sure, right now migrating wouldn't be that much harder (create a new personal account first, log into both the personal and family accounts from 1Password7, go to the old vault, select everything, drag it to the new vault, and finally log out of the family account). But an approach like I describe recognizes that each person in the family owns their own data. Sure, I paid for the access but the nature of that data is dramatically more significant than, say, taking away my son's iPhone for some reason.

  • @rlh

    Part of the difficulty with a solution like that is financial. As the person paying for the membership the organizer needs to have the right to remove someone from their account (and thus stop paying for them), with or without that person’s confirmation.

    Ben

  • rlh
    rlh
    Community Member

    @Ben

    Good point, I can see there may be any number of reasons that I couldn't get confirmation but need that account deleted. What if you added something like a 3-7 day timeout, where if the person never confirmed, the deletion would occur anyway? That way anyone who was a victim of my rage or stupidity would have some window of opportunity to rescue their data and create their own account (with the added bonus of AgileBits gaining a new, gracious customer!).

  • prime
    prime
    Community Member
    edited August 2018

    I had an idea that if I (an organizer) deletes an account, that persons account is removed from my family account. Then that persons account is removed but not 100% deleted, but that person who got removed just has a frozen account (not paying, but has access to his passwords), and that person has the option to start a single membership.

    This way AgileBits now has a potential of getting a new customer too.

    Sorry for the wording, I am tried while doing this haha.

  • @rlh

    It is an interesting idea. :)

    Ben

  • @prime

    I think I like that idea even better, though it would definitely require more work. I think this problem is worth investigating further, and I will bring it up with development.

    Ben

  • prime
    prime
    Community Member

    @Ben

    Thanks. I see this as a win for everyone: the organizer, the person who got deleted (now just removed), and AgileBits (who now won’t have a person messaging you guys “I got deleted and lost all my passwords!”).

  • rlh
    rlh
    Community Member

    While @prime's idea is very similar to mine (giving the data owner the ability to start his own account) it doesn't actually allow for account deletion when that's what I really want. What about a deceased family member? I don't like the idea of their data spinning off into a frozen individual account that never goes away.

    @Ben, even though I said it in different words (and probably not as clearly) my intent when I said to give the user an option "to migrate their data" was that would create a personal (frozen or trial-period) account as @prime described it. I'm just in favor of having one of the paths include actual (cooperative or timed-out) deletion.

  • prime
    prime
    Community Member

    @rlh have a remove and delete. Remove: that person starts their own, delete: that person is no longer wanting or needing a 1Password account.

  • Valid point @rlh.

    Ben

  • AGAlumB
    AGAlumB
    1Password Alumni

    I disagree that "remove and delete" should exist, as it would muddy the waters. While what we have now isn't ideal for all situations, it's fairly straightforward: when an account is deleted, it is deleted. While it isn't possible currently, at the end of the day, isn't the premise of this discussion that it would be better if the user of a given 1Password.com account is the only person able to delete it completely (along with its data)?

    I think that may be a problem for some businesses, but aside from that it seems like the "remove account from plan" option lets the account owner remove those they no longer wish to pay for and/or share with from their plan, and then allowing that user to "pick up the tab" for themselves completes the circle of life or whatever. Almost.

    The one hole in the scheme is that in order to be able to remove a user from a plan, separating them into their own, it's probably pretty important to have the opposite be possible: allow an existing individual account to be "adopted" into a family (or team) plan. Having it be a one-way operation would cause as many problems as it would solve I think.

    The good news is that we sort of have a way of "adopting" families already: each 1Password Business user gets a code to apply to 1Password Families for personal use. The bad news is this doesn't really have any other effect, only making the business the "parent" account for billing purposes; there is (intentionally) no cryptographic key exchange to facilitate sharing (for many it would be bad to mix work and play, to put it mildly). So while the concept is there in a very basic form, the hard work to be able to connect accounts functionally does not exist, and it's absolutely critical that it be planned and executed carefully if and when we do something like this. Fascinating discussion.

  • BLD
    BLD
    Community Member

    I stumbled on this thread because I was stunned to discover that a Family Organizer can see all the vaults on the account, including shared ones not created by or explicitly shared with that Family Organizer. While I agree with a lot of the thread above in that Family Organizers should have the ability to see the existence of and delete (or detach is a nice idea) vaults associated with the account, I strongly object that an organizer can add themselves to a vault that was not explicitly shared with them by the creator of that vault.

    If Mom and Dad are both organizers, Mom should be able to share vaults with Son without Dad being able to snoop at his whim.

    Please consider changing things so that only the original creator of a vault can add/remove access to it, with the only exception being that organizers can see the existence of all vaults. If an organizer doesn't like that they don't have access, and can't get the owner to agree to add them, the organizer can of course remove the owner from the account. When the owner of a vault is removed from an account, either that vault nicely goes with them "detached" as suggested above, the vault's ownership can be reassigned to any other family member if the organizer removing the owner has access to the vault, or otherwise the vault is just deleted along with the owner. Also, a vault owner should have the ability to reassign ownership of a vault to any other member on the account.

  • Ben
    Ben
    edited January 2019

    Hi @BLD,

    There is definitely a fair amount to consider here. The difficulty is that not everyone agrees on what is best. We don't currently have any way of detaching accounts or vaults from memberships, but we do have a level of service whereby some of the other things you've mentioned are possible. With 1Password Business and 1Password Teams there are finer grain permissions controls. I realize that may not be an ideal solution, but it is what is available now. It is possible we'll be able to incorporate some of the suggestions made in this thread as we continue to evolve the 1Password Families offering.

    Ben

  • Lars
    Lars
    1Password Alumni

    I'll echo Ben's point here, and go on to note that 1Password Families is our most unique level of service in multiple ways. First, it's priced far more attractively than some of our other options: although it's $4.99/mo, that's for up to FIVE people, who all get access to all of our native apps (Mac, Windows, iOS and Android) for no additional charge, as well as the 1password.com account itself, plus all the additional benefits that go along with membership. It's quite a good deal, especially when you consider that if those same five people chose a 1Password Business account instead (which has all the higher-level features Ben was mentioning), it would cost $7.99/mo per user, or $39.95/mo. Or five standalone licenses (which doesn't even get you the account itself, only the license to use 1Password for Mac) would total $349.

    The reason 1Password Families is priced as attractively it is, is because we have a genuine affection for families (however you define that term). But a 1Password Families account comes with some assumptions about the use-case which you may consider limitations, but we don't necessarily. One of them is that a family unit is fundamentally different from any other organization. A family is not like a business or enterprise where a board of directors or CEO has ultimate power, and it's not like charitable or volunteer or hobbyist organizations which might also be small and not business-based...but they're different from families. The assumption is that, in a family, there's a level of trust that exists that either doesn't exist or isn't appropriate to assume exists in other groups. Ben mentioned that 1Password Business has far more granular control over who can access/manage what vaults/items, and it's true. But even in a 1Password Business account, anyone with Owner level privileges can add him or herself to any vault that they weren't initially invited to join and which wasn't created by them. Someone with Owner privileges can also remove other users' accounts at will, without notice or recourse as well. And yet I've never heard anyone complain about this because it's understood by all parties in a business environment that if the company/boss is paying for everyone's company account (just like your company email account), then you as an individual don't have the right to privacy from your own employer on systems/hardware/software that they pay for. So even paying a lot more for a 1Password Business account for a family wouldn't solve (for suspicious family members) the issue of having someone in the account with the ability to potentially snoop on their 1Password use.

    Yet people DO (as evidenced in this thread) complain that they should have that level of personal privacy (which doesn't even exist in our highest service tier) from other members of their own family in 1Password Families accounts. I'm not suggesting people are necessarily wrong to want this kind of secrecy, only that this is a social problem that technology isn't the appropriate answer for. The long and short of it, in my opinion, is that if any given family (or members of a family) feels a) they have secrets they need to have foolproof ways of keeping from other members of their own family and b) they do not feel they can trust their family members enough not to snoop/spy/copy/steal if given the means to do so, then what such a family probably wants would be individual 1Password accounts where each person has their own, separate account that they pay for and no one else has access to. Such a setup would lose the sharing benefits - not to mention the more-attractive price - of 1Password Families...but each person would then be certain no one else in their own family could have even the possibility of being able to snoop/spy on their 1Password data. That's the bottom line: the only 1Password account that doesn't require the user to live with the knowledge that Owners (or Family Organizers) could potentially see/snoop on their data, is an individual account.

  • BLD
    BLD
    Community Member
    edited January 2019

    @Lars, even the most well-adjusted and least dysfunctional families have legitimate needs for assured privacy. If it were all based on trust, just get an Individual account and give everyone in the family the credentials -- far cheaper! The fact that you have a Family account at all (and thank you for that!) shows that you recognize the need for such a division of privacy, even within a family. You certainly don't let the organizers access individual members' Private vaults, so I don't understand the reasoning behind allowing their access to shared vaults not shared with them -- think of those vaults as private between two or more members, not just one. I think people get the Family account not just because of the volume discount, but because of the recognition of the need for shared data.

    If that doesn't convince you, maybe you could consider adding Sharing functionality between Individual accounts.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @BLD: I don't see the benefit of framing it in terms of well-adjusted versus dysfunctional, except to be inflammatory. Completely unnecessary. :tongue: So I'll just say that I think it would be cool if we could make it possible to share securely between individual memberships in the future, for plenty of other reasons. And, getting back to the topic, it's worth considering that it can help a lot of families to have organizers able to manage vaults in case something happens to a family member. If they're only ever accessible to the person who created them, that's a black hole that something important our loved ones might benefit from if the worst happens. Food for thought. :)

  • BLD
    BLD
    Community Member

    @brenty My apologies, I really did not mean to be inflammatory. I was only trying to show a counterpoint to the statement by @Lars "the assumption is that, in a family, there's a level of trust that exists that either doesn't exist or isn't appropriate to assume exists in other groups." Perhaps a better statement from me would have been that even in families where such trust exists, there is still a legitimate need for this kind of shared vault privacy. For example, maybe the family member is storing private information for a third party to which only they and another family member are entrusted, and not the family organizer. But we shouldn't debate the social or philosophical scenarios -- I only dove in to this degree because @Lars cited trust within a family as part of the design decisions behind how Family accounts work. I think I have shown that legitimate reasons can exist for the family organizer to not have access to shared vaults to which they have not granted explicit access.

    The point you raise about only being accessible to the owner (by default the creator in the proposal I'm making) would just as well apply to the Private vault for that creator. In that extreme scenario, presumably precautions have been made to preserve the Recovery Kit, say in safe deposit box -- or by using the Recovery process along with access to the creator's email (also presumably something an executor of the creator's estate could potentially access). So again, I don't see why a Shared vault not shared with organizer should be any more or less accessible to the organizer than the owner's Private vault.

    So lest all this come across as too critical -- I think 1Password is a fantastic product and extremely cheaply priced. There are various glitches here and there of course, and I personally find aspects of the UI non-intuitive but you can't please everyone -- but I think the fact that you have made the tool work pretty uniformly and seamlessly across multiple platforms and with the various idiosyncrasies of multiple browsers pretty great. I really feel like the issue I've raised here is the only actual serious design issue I've come across -- and I would happily pay a bit more to have it resolved. It really stands in my way of completely using the product the way I'd like.

  • Lars
    Lars
    1Password Alumni

    @BLD -

    If it were all based on trust, just get an Individual account and give everyone in the family the credentials -- far cheaper! The fact that you have a Family account at all (and thank you for that!) shows that you recognize the need for such a division of privacy, even within a family.

    Not quite. That's part of it, yes, but it's also about simply not having everything in one big box. In a family of five, assuming any children are old enough to be using digital devices and presumably having their own accounts for things, you likely have five different Login items, all titled "Facebook" (or "Instagram" or "Twitter," etc). Each person probably has their own email account -- probably several of them. If everyone just shared one big Individual account, it would be both annoying and problematic to have multiple accounts of the same type repeatedly for every major website. That's the main reason there is a Private vault, not just the ability to keep things secret from one's own family members.

    I don't understand the reasoning behind allowing their access to shared vaults not shared with them.

    I really need to push back on this a bit: Family Organizers don't have access to vaults they're not invited to initially. What they have is the ability to add themselves to such vaults if they chose. The difference may seem immaterial or subtle, but it's not. Family Organizers cannot simply view any and all data at will. They would have to explicitly and intentionally use administrative powers to view data they were intentionally not invited to view. Adding oneself as a Family Organizer to a vault you weren't invited to would have to be done in the same way that intentionally walking into someone's bedroom while they're not there, taking their diary and reading it would be: Family Organizers could do it...but it's clear you're not meant to, if you weren't invited to a vault.

    This situation exists because someone has to have primary/administrator/ownership rights to the device/application in question. The same such issues exist with actual computers -- my own family has a couple of Macs in the house, and they're set up so that each family member has a user account on those computers. That way, if someone is using one of them, another person can use the other one, with their own data, etc. But there's also an Administrator account that has sudo privileges and can run things as root. Being the IT monkey for my family, I'm the one who set this up (mostly because no one else really would have been able to). So naturally, I have Admin rights to both those computers in addition to my own standard account. It's become a problem for other family members because to install new software or even updates, you need an Admin password. So I've had to choose whether to give the Admin password to my wife and/or kids, or to be "on call" to come to the computer and type it in every time an application gets updated. If I give my wife/kids the Admin password, then they could theoretically make their own accounts Admin-level accounts and even remove my entire account, if they were so inclined. Just as I could, right now, remove everyone else's user account from every Mac in this house. But I don't, and I don't expect they will either. Yet if I wanted to be 100% sure that no one could mess with "my stuff" without having to physically break it or hack into it like any hacker would have to, what I'd really need is a Mac that no one else had an account on or knew the Admin password for. That would be one solution: we could each purchase individual computers (expensive!) and never allow anyone to have a user account but ourselves, on our own device.

    I think people get the Family account not just because of the volume discount, but because of the recognition of the need for shared data.

    I think - and my experience doing this for a living reinforces - that it is both. Everyone likes to pay less if they can, and 1Password Families is our most-affordable option, especially if you have four or five people instead of just two. But they also choose 1Password Families because they ARE a family, and sharing data is important. That's what the Shared vault is for: things everyone might need (family Netflix or Hulu password, garage door or building codes, etc). And you can, of course, create as many additional vaults as you need, with any combination of people. My wife and I have a "Parents" vault for stuff we need to share but is not relevant for the kids (financial stuff, etc.). In other words: your "recognition of the need for shared data" is already met in 1Password Families.

    If that doesn't convince you, maybe you could consider adding Sharing functionality between Individual accounts.

    I appreciate the suggestion. And this is where the rubber truly meets the road with 1Password: if all that was required was being able to share, why not just use a non-encrypted database? It's the securely sharing part that's the real challenge, and the heart of what we do. The second biggest part of what we do is making 1Password easy to use, which involves quite a bit of concealing just how much complexity is under the hood, to bring you the "securely" part of the abilities that already exist in 1password.com accounts. To get an idea of the intricacy of it, I'd suggest our 1password.com security white paper, specifically the section titled How Vault Items are Secured (to get an idea of how even a single person's data is secured) followed by the next section: How Vault Items are Securely Shared. If you've ever set up PGP or any other public-key infrastructure setup (PKI), you'll know what a pain it is to meet in public, positively ID oneself, exchange public keys, etc. In 1password.com, most of that is handled behind the scenes for you. As brenty mentioned above, while it would indeed be cool to allow sharing between individual memberships, the level of validation and intricacy (involved in such a thing is...significant. If it can even be done securely with current technology, in a way that doesn't put undue burden on the users, that is -- which is a question that's probably both still open and beyond my pay grade. But assuming it's possible to do in a way that makes sense for how we want people to be able to use 1Password (relatively easily, without having to be a nerd with a CS degree), the level of complexity and work involved would be more than we could likely offer at the current cost of 1Password Families. The main reason 1Password Business costs substantially more than 1Password Families (or individual accounts) is because the additional granularity of features requires much more work to develop and maintain.

    I'll stop here since this is already too long, but I want to conclude by reiterating that everything people in this thread are asking for in 1Password Families already exists there, currently, with one exception - the ability to have individual private data exists (Private vaults), the ability to share data exists (both the family-wide Shared vault plus any number of additional vaults shared between any configuration of users, privately). The one exception, the one request from this thread that does not exist today in 1Password Families is the absolute, programmatically-enforced guarantee that no one with Owner (Family Organizer) permissions could ever abuse that power to delete other users or view data in user-created vaults shared with others to which they (the Organizer) were not invited. That's a power that does not even exist in our most-expensive and advanced offering, 1Password Business. My suspicion - and this is all theoretical at this point - is that it would be difficult to develop such an infrastructure for 1Password Families while still maintaining the current pricing. It just doesn't seem as if it would scale. I'm happy to be wrong about that, but knowing what I know about how much work and complexity is likely involved in what you're asking - if it is possible at all - I suspect it would result in having to price 1Password Families at a point where it would no longer be an affordable, family-friendly option.

  • XIII
    XIII
    Community Member

    I want to conclude by reiterating that everything people in this thread are asking for in 1Password Families already exists there, currently

    Hope you don't mind I add a "new" one... (which I actually have asked about before)

    Because of this super power admins have I don't want any other admins in my family account (and my family is fine with that). However, this means other members cannot help in restoring an account (currently only admins can?). Are you still considering adding that permission to non-admin members?

    https://support.1password.com/recovery/

  • BLD
    BLD
    Community Member

    @Lars, thanks for the thoughtful and in-depth replies. Full disclosure, while I am not an encryption specialist, I am a software engineer fairly familiar with the concepts -- and I am fully aware of the complexities involved in your product. So let me stress again that I think the work your team has done, while not perfect, is really excellent. As I said before, to get all this working when integrating across multiple platforms and browsers totally beyond your control is good stuff. You had me sold on your tool within an hour of experimenting with it. If I were not already invested (and I don't mean financially) in using the tool, I would not be writing novels on this board. ;-)

    Like you, @Lars, I'm the "IT" guy in my family. the analogies you drew with respect to personal computers in the household make sense, but there are key differences. With respect to those computers, administrative access beyond the skill set of most in the family is required on a regular if not outright frequent basis. While those computers could be locked down in such a way that I'd have to go to extremes to get in (like have power of attorney to open a safe deposit box with the administrative credentials, etc.), you and I both know that would be ridiculous in a real world family. But the same doesn't apply to the shared data contained within private and shared vaults not shared with me. It's just data, and if the users in my family have no need or desire for me to see it, that's their right, and I have little to no legitimate reason to access their private information. Of course, I think there are exceptions to this -- but as we've all agreed, those exceptions are extreme and should require extreme measures. Frankly, to get my kids on board to really change their security practices and adopt this tool (which has me hopeful ;->), they need assurance that their data is protected. It really goes beyond whether they trust dad or not -- it's peace of mind.

    Obviously, without studying the innards of 1Password's architecture in detail, I can't make a truly informed assessment of how difficult the engineering effort required would be to give Shared vaults the same level of protection from admin/organizers as Private vaults already have. But honestly, I can think of a few ways off the top of my head that might work depending on what you've done behind the scenes.

    I really think the case has been made why some families would want this kind of isolation for shared vaults, and it's shaky ground for 1Password to try to second guess such decisions. However, I do appreciate that new engineering requires investment -- and depending on the infrastructure changes required -- additional cost. Your product is already so incredibly cheaply priced, I could definitely live with absorbing some price increase for this to get "fixed." I'm requesting that your product managers have a serious conversation with engineering about this and perhaps take a survey of your customer base.

    The suggestion that @XIII made to allow another tier of users that can perform some functions normally reserved for the super user is a good one. It seems that would be quite straightforward to implement in your current architecture given that you already have a separation of powers between members and organizers. But I still see removing the super user's power to muck with private data (other than deleting it) as a pretty vital missing piece from the design.

  • Lars
    Lars
    1Password Alumni

    @XIII - Nothing to announce just yet, but we'd love for you to be able to add a recovery contact; it's something we're evaluating.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited January 2019

    @BLD: Likewise, thanks for your honesty and criticism. My concern was that this important discussion remain constructive, but it sounds like we're on the same page here: we all -- passionately -- want 1Password to be the best it can be. There's a lot to consider, and challenges both technically and for usability, but we'll keep working at it, and the feedback gives us ideas for what might be possible in the future. :)

  • bobpaul
    bobpaul
    Community Member

    This situation exists because someone has to have primary/administrator/ownership rights to the device/application in question.

    The way one of your competitors has solved this is that individual password entries can be individually shared with any user of the service (inside or outside the family). That entry is owned by whoever created it. Likewise, within families they have collections (not unlike vaults) to make sharing easy within the family. Whoever created a collection owns the collection and can share it with other family members. The family's admins don't even know collections exist unless they're shared with the individual admins. But unlike single password entries, collections can't be shared outside the family.

    The Slack chat app is pretty similar to this. As a slack admin at our organization, I have no idea what private channels have been created or who is in them.

    As a 1password admin for our workplace, I have mixed feelings with the admin's (me) ability join any vaults at will. I do greatly appreciate the audit logs, as that makes it clear if any admin has abused power, and really that's sufficient. But to some extent, I think a system where each vault had a vault owner might be good in the workplace; IT staff should never need access to the Accountants' shared vault, for example. On the other hand, the way 1password is currently set-up, an organization never needs to worry about losing track of a vault. Google Drive has individual document/folder owners, and this can be a real pain to sort out when staff members change affiliation... So like I said, I have mixed feelings.

    In a family, though, I definitely think it's worthwhile to allow any family member to create and own a shared vault for exactly the reasons @BLD shared. I trust my kids to have their own private vaults, why wouldn't I also trust them to share a vault between them if that's something they want to do. If something about 1password's architecture makes this impossible, an alternative might be to where the family/workplace admin knows the name of the vault and the vault owner, but needs permission from the vault owner to join the vault.

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @bobpaul! Thanks for the suggestions. As you suspected, it's largely a question of 1Password's architecture and the underlying nature of encryption used to secure the data. That's not to say nothing can ever change, but rather that any changes are considerably more difficult than in an app that doesn't require permissions-based encryption.

    I trust my kids to have their own private vaults, why wouldn't I also trust them to share a vault between them if that's something they want to do.

    They can, currently. Users can create their own vaults, and share them with other non-Family Organizer users. Just wanted to make it clear this is already possible.

    We'll add your thoughts to the mix of where we may make changes or new features in the future regarding sharing and permissions control in 1Password, so thanks for taking the time to share them with us. :)

This discussion has been closed.