Emergency access and account recovery are critical components of any 1Password deployment. Without proper recovery options configured, users who forget their credentials could lose access to all their stored passwords permanently. This guide covers all recovery mechanisms available in 1Password Business.
Prerequisites
Before you begin, ensure you have:
- 1Password Business account with owner or admin access
- Access to your current account (cannot set up recovery if locked out)
- Secure storage location for Emergency Kit and recovery codes
- Understanding of your organization's security and compliance requirements
Understanding 1Password's Recovery Options
1Password provides multiple recovery mechanisms:
| Recovery Method | Who Can Use | Best For |
|---|---|---|
| Emergency Kit | Account holder | Personal recovery, new device setup |
| Recovery Code | Account holder | Forgotten password recovery |
| Team Recovery | Admins/Owners | Helping locked-out team members |
| SCIM Recovery | Identity provider admins | Enterprise environments |
Step 1: Set Up Your Emergency Kit
The Emergency Kit is a PDF document containing your critical account information.
What's Included
Your Emergency Kit contains:
- Sign-in address: Your team's 1Password URL
- Email address: The email associated with your account
- Secret Key: Your unique cryptographic key
- Space for account password: Write this in by hand
Download Your Emergency Kit
- Sign in to 1Password.com
- Click your name in the top right corner
- Select Manage Account
- Click Save Emergency Kit
- Follow the prompts to download the PDF
Fill In Your Emergency Kit
After downloading:
- Print the Emergency Kit (don't save with password filled in digitally)
- Write your account password in the designated space
- Do not store digitally with the password included
Store Your Emergency Kit Securely
Recommended storage locations:
| Location | Security Level | Accessibility |
|---|---|---|
| Safe deposit box | High | Low |
| Fireproof home safe | High | Medium |
| With passport/birth certificate | Medium | Medium |
| Trusted family member | Medium | High |
Important: Store in multiple secure locations for redundancy.
Emergency Kit Best Practices
- Never email or message your Emergency Kit
- Don't store in cloud services with password filled in
- Update when you change your account password
- Consider a sealed envelope with tamper-evident features
- Inform a trusted contact where it's stored
Step 2: Set Up a Recovery Code
Recovery codes provide an alternative way to regain access if you forget your account password.
Generate a Recovery Code
- Sign in to 1Password.com
- Click your name in the top right corner
- Select Manage Account
- Choose Sign-in & Recovery
- Click Set up recovery code
- Follow the on-screen instructions
- Save the recovery code immediately
Store Your Recovery Code
Your recovery code should be stored:
- Separately from your Emergency Kit
- In a secure, accessible location
- Consider a password manager backup (different service)
- With a trusted family member or attorney
Recovery Code Characteristics
- Reusable: Can be used multiple times
- Permanent: Remains valid until manually regenerated
- Powerful: Allows full password reset
- Sensitive: Treat like your master password
Step 3: Configure Team Account Recovery
For 1Password Business, administrators can recover team member accounts.
Understand Recovery Permissions
| Role | Can Recover Accounts |
|---|---|
| Owners | Yes, all accounts |
| Administrators | Yes, if granted permission |
| Recovery Group | Yes, members of designated group |
| Team Members | No |
Set Up the Recovery Group
- Sign in as an owner on 1Password.com
- Navigate to Groups
- Create or identify a Recovery group
- Click Permissions
- Enable Recover Accounts
- Add trusted administrators to this group
- Click Save
Recovery Best Practices for Teams
- Have at least two people with recovery permissions
- Include people in different locations/time zones
- Regularly verify recovery group membership
- Document the recovery request process
Step 4: Recover a Team Member's Account
When a team member is locked out:
Initiate Recovery
- Sign in to 1Password.com as an owner/admin with recovery permissions
- Click People in the sidebar
- Find the locked-out team member
- Click their name
- Click Begin Recovery below their name
Complete Recovery Process
- 1Password generates recovery link
- Securely share the link with the team member
- Use a verified phone call
- In-person is best
- Don't email if email is compromised
- Team member clicks the link
- They create a new account password
- They receive a new Secret Key
Post-Recovery Steps
After recovery:
- Team member downloads new Emergency Kit
- Team member sets up new recovery code
- Verify they can access all necessary vaults
- Document the incident for compliance
Step 5: Use Your Recovery Code
If you're locked out and have a recovery code:
Recovery Process
- Go to 1Password.com
- Click Sign In
- Enter your email address
- Click Forgot Password? or Can't sign in?
- Select Use Recovery Code
- Enter your recovery code
- Complete email verification
- Create a new account password
- Download your new Emergency Kit (new Secret Key)
After Using Recovery Code
- Update your Emergency Kit immediately
- Store the new Emergency Kit securely
- Your recovery code remains valid for future use
- Consider if password management practices need improvement
Step 6: Implement Emergency Access Policies
Create an Emergency Access Plan
Document procedures for:
- Employee lockout: Who to contact, verification steps
- Admin lockout: Backup recovery contacts
- Owner lockout: Board/executive procedures
- Mass lockout: Identity provider failure response
Policy Template
EMERGENCY ACCESS POLICY
Recovery Contacts:
- Primary: [Name] - [Contact Method]
- Secondary: [Name] - [Contact Method]
Verification Requirements:
- Identity verification via [method]
- Manager approval for [role types]
Recovery Procedures:
1. User contacts [department]
2. Identity verified via [method]
3. Recovery initiated by [role]
4. New credentials communicated via [secure channel]
Audit Requirements:
- All recoveries logged in [system]
- Monthly review of recovery events
Integrate with HR Processes
Onboarding:
- New employees set up Emergency Kit on day one
- Recovery code setup as part of security training
- Document storage location acknowledgment
Offboarding:
- Remove from recovery groups
- Suspend account (don't delete immediately)
- Archive vault access for compliance
Step 7: Test Your Recovery Procedures
Quarterly Recovery Drills
- Select a test user (or create test account)
- Simulate lockout scenario
- Time the recovery process
- Document issues encountered
- Update procedures as needed
Verify Recovery Contacts
Monthly verification:
- Confirm recovery group members are current
- Verify contact information is accurate
- Ensure backup contacts are available
- Test communication channels
Troubleshooting Recovery Issues
Can't Find Emergency Kit
Solutions:
- Check all secure storage locations
- Look for digital copy (without password)
- Contact 1Password support with account verification
- Use recovery code if available
- Request team recovery if applicable
Recovery Code Not Working
Solutions:
- Verify you're entering the code correctly
- Check for extra spaces or characters
- Ensure you're using the correct account email
- Regenerate a new code if you have access
Team Recovery Not Available
Solutions:
- Verify someone has recovery permissions
- Check if the user account is suspended
- Ensure you're an owner or in Recovery group
- Contact 1Password support for enterprise accounts
New Secret Key After Recovery
This is expected behavior:
- Recovery generates a new Secret Key for security
- The old Secret Key is invalidated
- Download and store the new Emergency Kit
- Update any stored copies of the old Emergency Kit
Special Considerations for Compliance
Audit Trail
All recovery events are logged in 1Password:
- Navigate to Reports > Activity Log
- Filter for "Recovery" events
- Export for compliance documentation
Regulatory Requirements
| Regulation | Consideration |
|---|---|
| SOC 2 | Document recovery procedures and access controls |
| HIPAA | Ensure recovery doesn't expose PHI inappropriately |
| GDPR | Consider data access implications of recovery |
| SOX | Maintain separation of duties in recovery permissions |
Recovery Documentation
Maintain records of:
- Recovery policy and procedures
- Recovery group membership changes
- All recovery events with timestamps
- Periodic testing results
Next Steps
After setting up emergency access:
- Train team members: Ensure everyone knows recovery options
- Document procedures: Create runbooks for IT support
- Schedule reviews: Quarterly verification of recovery contacts
- Test regularly: Conduct recovery drills
- Monitor activity: Review recovery events for anomalies
Additional Resources
Need help implementing emergency access procedures? Inventive HQ provides comprehensive identity management services, including disaster recovery planning, compliance documentation, and security policy development. Contact us for a free consultation.