1password Family Recovery

0 views
Skip to first unread message

Danisa Southmayd

unread,
Aug 3, 2024, 4:38:26 PM8/3/24
to distnehtaca

You and your family members can generate recovery codes for your accounts. You can use recovery codes to regain access to your accounts by selecting the Having trouble signing in? button on 1Password.com.

Ready to share passwords with your new love interest or roommate? Quickly send out an invite from the 1Password app to new members or guests. Plus, you can also confirm or reject any new members who are listed under Waiting to be confirmed.

Need a reminder if you started the account recovery process for a family member? You can easily check the status of all the members in your 1Password account, including Guest, Suspended, or Recovery started and Recovery pending.

I am the organizer of the family which has another member.
I have forgotten my master password, but I have the secret key in my possession and I have access to my e-mail which is linked to my account.

The problem with the account recovery following the instructions here -recovery is that we're not sure and we do not recall what permissions does the other family member have as apparently he cannot find 'People' tab in the sidebar.

If you did not name another Family organizer it is unfortunately not possible to restore your account. Did you by chance write down your Masterpassword on a copy of the Emergency Kit that you stored somewhere safely?

Welcome to the forum, @thousand_joules! I'm sorry for the trouble. If you gave the other person Family Organizer permissions, then that person will be able to help you recover your account. If you didn't, then that won't be possible. Any other person in the family account can check by signing into their account in a browser, then checking if they see the "People" tab in the right sidebar. If they can't see that, or if they see it but clicking on your name in the list does not give them a "Begin Recovery" option in the left sidebar, then you didn't give that person Family Organizer permissions.

If you've forgotten your Master Password, there's very little you'll be able to do to access your data or the account management functions of your account, since the Master Password is the one piece of data that's not stored anywhere except your head (even the Secret Key is stored in the browsers/apps you use 1Password with). You can't sign into 1password.com in a browser, and even if you can use Touch ID or Face ID to unlock the 1Password app on one of your devices, you won't be able to change your Master Password without knowing the current one.

I'd consider trying the steps outlined in this article to see if you can jog your memory or one of those tips works for you. If none of it does, however, then you and everyone else in the 1Password Families account will need to start over. If that turns out to be the case - you've exhausted all options and you're sure you can't recover your account or remember your Master Password, let me know and we can give you some further instructions via email for how the members of your account can salvage as much of your data as you can.

@thousand_joules - nope. It would be both improper and a huge security hole for us to possess the ability to manipulate user privileges in your account or see any of your data. 1Password is designed to protect you -- even from us. The downside to that is, well, what you're experiencing now: if you forget your Master Password or lose your Secret Key...we can't help you. Not because we wouldn't like to be able to help, but because there's no way we know of to grant ourselves that kind of power while also maintaining the kind of privacy and security you expect, deserve and pay for. Wish I had better news. :(

However, all may not be totally lost. In fact, your other users (presuming they still know their Master Password(s) and Secret Key(s) can transfer their data to another account or local vault or even export it in unencrypted format, then (after you delete the account) re-import it back into the new one. Are you and your family members using Macs or PCs?

@Lars we are using 1pass on Mac, Linux and iOS. How can we proceed with the account deletion and re-creation so that it would be an easy transfer for my other family member (he is using 1pass without issues)? Is it by using local vaults?

@thousand_joules: one option is to first create a new account, and have your other users move their existing data to their new account. Otherwise, you can have them export their data, at which point you can delete the existing account. It's up to you what you choose.

But if you want to include him into the conversation, please feel free to email us at suppor...@agilebits.com so we can continue the conversation over there. When you receive your Support ID, please post it here so we can locate your email in the system.

But how it's technically possible to "reset" the password then?
As far as I understand, master password (alongside with secret key) is used for encrypting and decrypting your passwords database. But for setting new password (=encrypt db with another secret), you must decrypt it first. How it's possible if no one except of me knows the old password (which I forgot)?

This is a very good question! I have answered a very similar one some time ago in this very forum, which I think will address your question too. Therefore, I hope you don't mind if I first refer you to that answer as a first reply to you. You can find that discussion here.

Not if they are a regular Team Member, because a Team Member is not a member of the Recovery Group. Therefore, in this specific case, there is no need for the Team Member to access the recovery group's private key.

But if you were talking about Recovery Group members instead (which I think is what you were referring to), then yes, we need a way for them to access this key pair (more on this in the next section of my post).

That is correct. This is what allows the recovery group to perform recovery without knowing your credentials (and knowing your Secret Key and Master Password is something that the recovery group cannot do): recovery is the recovery of the vault keys, not of the account credentials.

However, and this is an important point, Bob never gets your encrypted key unless you go through recovery. Only the server receives this encrypted key (see step 5 in the "User recovery" diagram on page 41 of the security white paper).

Nevertheless, we built the 1Password recovery system so that there are additional mechanisms that help prevent a malicious member of the recovery group from doing something that they are not supposed to do:

Having said this, I should probably also make it explicit here that any recovery mechanism will inherently lower the security of a system, so there certainly needs to be a level of accepted risk in exchange for the safety net provided by such a solution. There are however mitigating measures (such as the ones I described above) and expected precautions that are listed in our security white paper in the section titled "Recovery Risks" (page 40 in the current version of the document).

This is not defined exclusively through permissions (see my previous section in this post for some more details), but in summary, yes: there are mechanisms on the server to help prevent a member of the recovery group from accessing vault data that they shouldn't have access to. Just because they have access to the keys for recovery purposes, does not mean that they should be able to actually use those keys to access data.

My understanding is that if someone can gain access to my email (as the family admin) then they can recover any of the family vaults. I know that email is essentially one of the most valuable assets to a hacker as, with it, they can initiate password recovery on websites etc.

1a. What are the steps needed to recover one of my family's vaults? I'm going to have my son create a new private vault as the test case.
1b. I'd like to do this with my son initiating so that is the real world scenario
1c. I'd like to recover it myself and see how he gets notified and how he can stop it

The person who is having their account recovered will receive an email after you initiate recovery with a link that will give them a new Secret Key and asks them to set a new Master Password. You'll always get a new Secret Key even if you knew the old one, but you can always choose the same Master Password during recovery.

As for your email account, it sounds like you're already taking the steps needed to protect it! One other thing to keep in mind is that you should only sign in to your email account (and for that matter, your 1Password account) on devices that you trust.

just as a clarification, and maybe this needs to be a warning if true??
if the account that needs to be recovered, has their email password
(and maybe their 2FA for their email, so not possible to remember!) stored on 1pass,
and ONLY stored in 1pass..
would that mean, as they are not able to log into their email account, they are not going to be able recovering their account ??

@gadget78: If someone is unable to sign-in to their email account then recovery won't work for them. Without access to your email account then we can't check that it's actually you that wants to recover your account. Recovery is definitely a useful tool, and it's allowed me to gain access to my items again in the past. There are a few limitations to it though, so we'd always recommend storing your Emergency Kit somewhere safe too. That way you can sign in again without needing to recover your account.

indeed, does create a paradox, not able to gain access as i you need access to email info !
dont think people realise how important email actually is ! ..
most passwords are only as good as your email security for example ! ..

But I don't see how this is an issue, not even a family organizer can recover his own account with just an email address. This is my wife is one also. A person can hack my email, and there is still no way for them to get into my 1Password account. Am I right?

c80f0f1006
Reply all
Reply to author
Forward
0 new messages