Access after death or serious injury

sailingbikeruk
sailingbikeruk
Community Member

I have been searching for updated articles or information about how I might give my family access to 1Password after my death or if I should become incapacitated... the most recent I've found is still twelve months old.

Given my age and health it is a very serious issue and given that Google, LastPass and Dashlane all have a solution, I thought I would ask the question again.

Other than prising our my emergency kit and handing the whole lot over is there a secure way that 1Password will grant access to nominated people after my death or if I become incapable of using the system. It feels like I may have found a reason that forces me to move on to an alternate product if this hasn't/isn't being addressed.

Ian


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @sailingbikeruk

    I'd be happy to discuss this further. You posted this in the Business and Teams category, but it sounds like your question is about 1Password Families. Would it be alright if I move this thread over to that category?

    Nothing has really changed in this regard. 1Password is built on encryption, and only you have access to your encryption keys. For someone else to get them, you have to give them to that person. To build something like you're suggesting we would need to hold those keys in escrow. One of our core principals here is that we never have access to your keys so that we never have access to your data. We want you to be protected from us, or a breach of our servers, as much as you would from anyone else.

    I certainly understand the desire to have a feature like this, but our recommendations remain unchanged. The best I could recommend, and what I personally do, is store a physical copy of my Emergency Kit in a secure location. If something happens to me my family will be able to retrieve that Emergency Kit and access my data. Until then, the key to that location is kept with me, and nobody else has access.

    We don't disagree with the concept. What we take issue with is what the implementation would require: in order to give your keys to someone else, we would have to have them. That goes against one of our core principals. As such I still believe this is a problem best solved in a low tech way.

    I understand if you feel differently, and a such choose to use an offering that doesn't stand on that principal. We all have our own priorities, and perhaps there is a conflict between ours and yours.

    Ben

  • sailingbikeruk
    sailingbikeruk
    Community Member

    BY all means move to the the correct forum, apologies I use both families and teams (Home and Work).

    It is an interesting point about holding the keys. I assume from your comment that you are suggesting LastPass and Dashlane have the keys and can therefore access customer vaults, if they did not hold them then they could not give access to relatives or trusted emails addresses.

    I might check that detail before moving, we certainly arenot in conflict on that point and if that is what is happening I wonder how much "access" the companies might have to personal information.

    Thanks

    Ian

  • @sailingbikeruk

    BY all means move to the the correct forum, apologies I use both families and teams (Home and Work).

    No apologies necessary. I just want to make sure that anyone else looking for this sort of information is able to find it as easily as possible. Generally businesses have other options available (such as taking control of the employee's email address and then performing recovery), so this is less of a concern there than it is with families.

    It is an interesting point about holding the keys. I assume from your comment that you are suggesting LastPass and Dashlane have the keys and can therefore access customer vaults, if they did not hold them then they could not give access to relatives or trusted emails addresses.

    Admittedly I have not done an in-depth study of either of those systems, so I can't say that for sure, but that is what I had assumed. As far as I'm aware they do not provide the same level of documentation that we do about how / where / when keys are created / stored / used.

    I did a brief scan of LastPass's documentation on their Emergency Access feature and this two paragraph document was all I could find:
    https://support.logmeininc.com/lastpass/help/how-is-emergency-access-secure
    It does seem to imply they are doing better than I initially assumed, but there are a lot of details I'd like to know before I personally would use the feature.

    For what it's worth, our documentation about our security model is available here:
    https://1pw.ca/whitepaper

    We have some blank spots we still need to fill in as well, but as you can see what we do offer is fairly in-depth. We make every effort to be transparent in this regard.

    I might check that detail before moving, we certainly arenot in conflict on that point and if that is what is happening I wonder how much "access" the companies might have to personal information.

    Having as little access to customer information as possible, including not being able to access the data customers are storing inside of 1Password at all, is one of our top goals. It is something we take very seriously.

    I'd say it is a reasonable question to ask, either through researching their documentation or by asking their team. At the end of the day the important thing is that you're comfortable with the level of security that is being offered.

    Ben

  • Hi, @sailingbikeruk. I'm sorry for the confusion on this point.

    It's true that the easiest way to implement a feature like this is for us to have the keys, but that would not be responsible because not only could we then access your data but we could be tricked into giving access to anyone who convinces us that they are the Emergency Contact.

    However, as Ben noticed in LastPass's documentation, their implementation does not require that they know the keys, just like in 1Password you can share a vault with a family member without giving us the keys first. If we were to implement the same feature it would look very much like the implementation documented by LastPass. Unfortunately we've not made any changes there yet, but it is a feature we'd like to introduce eventually.

    Until that point, our recommendation of printing the Emergency Kit stands. It's also worth noting that even if we added an emergency access feature, its success would depend on the other person being able to access their own account. With a printed Emergency Kit in something like a safety deposit box, you don't have the same dependency. That's not to say it's superior, but there are different pros and cons to each approach.

    I hope that helps. In your original post you were looking for something "other than printing my Emergency Kit". Can you explain why that isn't an acceptable solution for your case?

  • timdalec
    timdalec
    Community Member

    I am currently using LastPass but looking to move to 1Password. The emergency access feature in LastPass is fairly simple, and to your point, does not require them to have access to any of my keys. If I was to pass away or be otherwise incapacitated, my spouse can go to LastPass and request access to my account (She would have to submit my email address). LastPass then notifies me of the request, and I have X days to deny it, otherwise it is automatically granted. So as long as I am paying attention to my notifications on my phone, I would know if someone was trying to gain access. And if I am gone, well, my spouse would only have t wait the X number of days to get access.

    I'd love to see something similar in 1Password. To the question of "why don't you just print the emergency kit form?": Master passwords change, 2 factor token may be lost (in the case of an accident or just unknown to the person trying to get access), or if it is in a safe deposit box and the person cannot access it in a timely manner.

  • Thanks @timdalec. The idea is definitely worthy of more thought. To clarify though, LastPass's feature has to be set up in advance of the situation. Your spouse wouldn't be able to go to LastPass after the fact and request Emergency Access if you hadn't already set them up with it. From their guide:

    The following is a general overview of the steps involved when using Emergency Access:

    1. LastPass User 1 adds Emergency Access User (who has an active LastPass account) and specifies a Wait Time.
    2. Emergency Access User accepts the invitation.
    3. In the event of an emergency, Emergency Access User requests access to the LastPass User 1's account.
    4. If LastPass User 1 does not decline the access request (or revoke access) within the Wait Time period, then Emergency Access User is granted access to the account (displayed as a folder in their own Vault and labeled as LastPass User 1's account email address).

    Ben

  • wavesound
    wavesound
    Community Member

    @Ben, that is correct, but the major difference here is that LastPass has the feature and 1Password has nothing...

    We have been discussing a similar challenge with 1Password over in this thread. Instead of your loved ones losing access. You could lose access to 1Password while you are traveling if you don’t keep a copy of the secret key on your person.

    https://discussions.agilebits.com/discussion/82240/how-to-handle-security-while-traveling-and-potentially-losing-devices/p2

  • that is correct, but the major difference here is that LastPass has the feature and 1Password has nothing...

    I understand. I was replying to a specific point to try and clarify something that I felt may have been misinterpreted.

    We have been discussing a similar challenge with 1Password over in this thread. Instead of your loved ones losing access. You could lose access to 1Password while you are traveling if you don’t keep a copy of the secret key on your person.

    I think these are separate issues. Both are valid concerns, but separate issues.

    Ben

  • jcx
    jcx
    Community Member

    Hi everyone,

    I am looking for some similar solution, that in the event of something happening to me, that my partner will gain access to my passwords. Something that he can request and perhaps after waiting a specified delay will send him a key that only he can decrypt on his account to access mine.

    Something that I can set-up in advance so that I don't have to worry that if something happens to me, he can not worry about finding all the details he would need in order to access everything in the interim if I'm ill, or close things down properly in the event of my death.

    Not a very happy thing to think about, but I think it would be a great feature to add to 1password. I'm still evaluating the 30 day trial, and this is one feature I'm very interested in. I like everything about the client and security so far, so would like to see if this feature could be implemented somehow?

  • Hi @jcx

    Right now our recommendation would be to print and fill out an Emergency Kit that could be made available to your chosen individual under such circumstances.

    Get to know your Emergency Kit

    It may be possible to offer a different solution in the future, and we'll continue to evaluate how we might do that without compromising on our core values of respecting customer privacy and not having the ability to access the data folks store in 1Password. I couldn't make any promises in that regard at this stage though. The Emergency Kit is likely to be the best solution, at least for the near future.

    Ben

  • ErtjeTheFreeze
    ErtjeTheFreeze
    Community Member

    Hi Ben,

    In these discussions I have never seen 2-factor authentication (2FA) mentioned. I’d given my son my Secret Key and master password and let him try to access my vault. He couldn’t, because of the 2FA being enabled. So just giving the secret key via the "Save Emergency Kit" and your master password isn't enough.
    My solution was, to go to my 1Password profile 2FA-settings and select “Replace” at “Authenticator App”. I’ve saved the presented secret key for the 2FA app and gave that to my son. Now he can access my vault.

    So the person who you want to have access after your death, needs from your 2FA secured 1Password account:
    1. the master password
    2. the 1Password secret key
    3. the generated 2FA key

    With kind regards,
    Rene de Vries

  • ErtjeTheFreeze
    ErtjeTheFreeze
    Community Member
    edited March 2020

    Hi Ben,

    Any comment on this? Tips?

    With kind regards,
    Rene de Vries

  • noway
    noway
    Community Member

    I use LastPass and I was considering using 1Password. Not so sure now. LassPass allows you to email anyone with a link. They activate the link and during a set amount of time I need to respond or that automatically gain access. So I dead, my son will have to wait 3 days but then he has full access, the 1Password option looks ridiculous to me

  • ErtjeTheFreeze
    ErtjeTheFreeze
    Community Member

    Hi Noway,
    I know of this feature of LastPass, but I would like to have the comments of a technical security expert. How safe is this feature? Can it be hacked or bypassed easily? If you only need a link and not the master password, it doesn’t seem secure to me. And what about if 2FA is enabled for LastPass? Heirs have to have access to the 2FA device, because the disable-link will be send to the configured mail address, to which heirs don’t have access. So it looks to me that you would have the same problem with LastPass.
    Back to 1Password: it is really necessary that 1Password provides a solid after-death-solution. Giving away the 3 items I’ve mentioned in my previous post, is giving immediate and limitless access, so I should place them in a safe, that can be accessed after my death. And if I would change one of the 3 items, I have to remember to update the items in my safe too.
    And one other important thing to realize is that every access that is secured with a 2FA, won’t be accessible, even if the heirs have the credentials, unless they have access to the 2FA device. A solution to that would be to change all 2FA access to use 1Password as the 2FA device. Although this weakens the 2FA principal, because both the credentials and 2FA are in the same place.
    With kind regards,
    Rene de Vries

  • @ErtjeTheFreeze

    So the person who you want to have access after your death, needs from your 2FA secured 1Password account:

    True, if you have TOTP enabled for 1Password. An alternative would be:

    1. Your son could use one of your devices that is already authorized to your account or
    2. You could use a U2F key for MFA for 1Password, instead of TOTP, and make sure your U2F key is accessible to your son in an event he needs it or
    3. Disable MFA for 1Password
      Remember that MFA serves a different purpose with regard to 1Password than it does with for most other services. I wrote more about this here.

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

  • qheart
    qheart
    Community Member

    Many thanks for this discussion. I too was about to sign onto 1Password, not only to be more responsible w/ my own accounts but also to ensure easier access for my executor when I die. But I'm uneasy giving anyone full access to all my accounts while I'm still alive and of sound mind.

    Having read all this discussion of the tradeoffs here, another solution occurs to me. I could send a physical copy of my master password to the person who will have legal authority to handle my affairs, but send a physical copy of the secure key to a different person I also trust, so that the executor could not get into my vault without a second responsible person concurring that I was dead or otherwise incapable. Would that meet the concerns expressed here, or am I missing something?

  • That would absolutely be a possibility @qheart. :)

    Ben

  • ErtjeTheFreeze
    ErtjeTheFreeze
    Community Member

    Hi @qheart ,
    This would be a good solution.
    Keep in mind my remark about accounts with 2-factor authentication. For example: if you have enabled 2FA for Facebook, only the credentials stored in 1Password (or any password manager) aren’t enough. Your heirs need access to your mobile 2FA device or you need to store the Recovery Codes in 1Password too. Other apps use (text) messages to your mobile device, authentication apps or other methods. You have to look to each app which has 2FA enabled what you have to do so that your heirs can bypass this. If your heirs can easily access your mobile device that is used for 2FA, there is no problem.
    With kind regards,
    Rene de Vries

  • 1Password can generate TOTP codes for sites like Facebook:

    Use 1Password as an authenticator for sites with two-factor authentication

    Ben

This discussion has been closed.