If you have a small startup or a family, 1Password is an awesome tool. For $5/month, you get a very secure zero-knowledge system for storing passwords. The main issue is that it is pretty complicated to figure out how to use it properly. So here are some tips:
- You are allowed five user accounts with a family membership. When you create a company, you are going to want a backup account that isn’t tied to anything like
newcompanyadmin@gmail.com
this is so that if your entire server system goes down, you can still recover. - Then you want to go to your favorite mail hoster and create a set of mail accounts. We use Gsuite if there is extensive collaboration and Office 365 for compatibility, so that seems like the main tradeoff right now. Once you are there, you want your main administrative account like
admin@newcompany.com
- Now both of these should have two factor authentication turned on and this is where 1Password comes in. It let’s you store one time passwords there so anyone can access it with the right password. Otherwise, you are stuck with say a magic cell phone for the company and you better hope people don’t go on holiday.
- There is the concept of shared vaults, so everyone gets their own passwords, but the cool thing
The issue is how to properly sign up for 1Password. It’s not completely obvious as there are actually a step for the admin, then each user, but then another one for the admin:
- Go to https://1password.com and login with your admin@newcompany.com and create a new family. You should type in a really complicated password and you will get a long
secret key
that you need to keep hiddern - Then you want to invite the various people like
rich@newcompany.com
and so on where they will get an email and can login - Make sure at this point that you create a 2FA for the master account and that you allow a third party authenticator. A convenient thing to do is to use 1Password itself for this.
Now each user will:
- Get an email and create their own 1Password. They will have to create a big master key and will get a secret key as well. Both are needed to access the account.
- At this point, the user will be in, but will not see any shared
vaults
- They can then download the mobile applications and this is a little confusing, but the Mac and PC apps also have an interesting user interface. When you want to add something to your existing 1Password, you can actually just use the QR code and everything gets entered in automatically.
- Finally, you can create 1Passwords for authentication on your Android and iPHone.
This is super confusing and the user interface doesn’t tell you that you don’t get any access to shared vaults until you ask the administrator to do some work:
- When they are logged in, the admin has to go to their console and they need to accept the user.
- This is also the point where they can change users to administrators themselves.
At this point, you have a locked down master admin and you can work away. Good luck!