New User (potential- doing trial now) Questions on feature/functionality
My questions are broad; but generally related to a new membership so placed here:
I'm certainly not a security expert; but in reading the whitepaper (not updated since January of 2019); it appears to me the actual key (MUK) used to encrypt/decrypt the vault key is a combination of the secret key and the users password? I ask as this would appear valuable for a family member who might not like/want/desire a very complex master password; effectively increasing entropy of the MUK?
There seems to be some functionality that is not consistent across clients (Windows, IOS, and Web). One I came across is the creation of new vaults in Windows. It appears the Windows platform only allows creation of "local" (file based) vaults. I would need to use the web interface or IOS I suppose (others in my family have MacOS devices which I assume could be used)?
Related to #2. It would seem having the ability to manage a "local file based" vault (rather than one hosted/shared/synced @ 1Password) could be nice security decision in some cases. If I'm correct that Windows can/does provide the ability to create local vaults; I would guess that is an older construct and is potentially being replaced across all client applications? I don't see the ability to do that in the web interface nor the IOS interface. Should I assume that will be functionality going away at some point?
Lastly; using 2FA to protect my 1Password account (versus other 2FA logins stored within a vault). Once set up; should I lose that 2FA capability; either due to a lost device (iPhone/Authy), mistakenly deleting the 2FA app, or otherwise not able to restore the original 2FA; how do I regain access to a 1Password account? Google, for example, provides a list of one-time use keys that can be saved/printed/stored. Other sites such as many financial institutions allow utilizing some other mechanism such as text/email (which seems rather insecure, so not suggesting this is desired). So just curious, if the 2FA device is lost; can 1Password support assist? or am I limited (with family plan) to invoke the recovery process with another on the family plan who has the rights to do so.
Thanks.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:New user question
Comments
-
Hi @rkdietz
Welcome to 1Password. I would be happy to help with those questions.
- Essentially, yes. Both the Secret Key and the Master Password are required to decrypt your data. Each protects against different attack vectors though, so it really isn't wise to use a weak Master Password just because the Secret Key exists. For example, the Secret Key isn't intended to (and really doesn't) offer protection in the event someone has access to a device that you have installed 1Password on. In that case all they will need is the Master Password, as the Secret Key is remembered. We do have a guide that may be helpful in picking a reasonable Master Password: How to choose a good Master Password
- Indeed. Cross-platform consistency is a goal that has been on our list for an incredibly long time but has always been difficult to achieve and maintain because of how our development teams have been structured. We're in the process of making some changes that should ultimately result in more consistency, but it has been and will continue to be a long road. This is one of the downsides of offering entirely native apps for each platform instead of using something like Electron, but there are a lot of benefits as well. In short, yes, there are inconsistencies across the various platforms we support. We recognize that is less than ideal and are working to minimize those differences.
- We refer to these as "standalone" vaults, and their usage is no longer recommended. Membership and membership vaults are the way forward. :) I'm not in a position to speak more specifically than that about future plans.
- Our security team can help, via email, but as you might imagine it does require a verification process. It may be quicker to have another family organizer on the membership assist if possible. You can also print the TOTP secret / QR code when setting TOTP up, so if you lose access to your authenticator you can re-enter/re-scan it.
I hope that helps!
Ben
0 -
Thank you @Ben.
One last question: If one of my family members decides to "branch off" at some point and have their own account; is there a fairly straightforward means to do that? I see many articles on moving from old (various versions of local vault options) versions to a subscription model; but not how to break away ones account from a family plan to an individual plan.
And in this case; assuming they wish to continue using same email address; thus would not be able to just "change accounts".
Thanks again.
0 -
You're welcome!
One last question: If one of my family members decides to "branch off" at some point and have their own account; is there a fairly straightforward means to do that? I see many articles on moving from old (various versions of local vault options) versions to a subscription model; but not how to break away ones account from a family plan to an individual plan.
This would be fairly straightforward with one caveat: Links between items do not survive being moved (i.e. you'd need to re-establish any links). Otherwise you'd simply sign into both accounts in one of the apps and then move the items from account A to account B.
Move and copy items
And in this case; assuming they wish to continue using same email address; thus would not be able to just "change accounts".
The only restriction on re-using email addresses with 1Password memberships is that you cannot have multiple individual memberships under the same email address. You can have, e.g., one individual membership and one 1Password Families membership, with no issue.
Ben
0 -
great; thanks.
0 -
You're very welcome. :)
Ben
0
