The Importance of the Personal Vault for Business Users
- Blog
- The Importance of the Personal Vault for Business Users
For good password practices to become habits, they need to become personal.
We’re humans after all. And not everyone is programmed to follow every rule to the fullest extent at work. Sometimes shortcuts are taken, rarely with bad intent, but often by taking the easiest path. In the world of sensitive information, this might mean sharing through less-than-secure channels to get the job completed quickly.
When it comes to passwords and sensitive information at work, the more every employee participates proactively, the stronger the security health of the company. Our customers have told us that one way to boost good password practices is to let employees have their own personal information vault space at work, providing a joint Bitwarden personal and business account. This could be for any set of credentials that the employee wants to be their own.
Since Bitwarden began, the personal vault has been just that, personal. Even in the context of joining an organization, the personal vault portion of your Bitwarden account remained only visible to you. No other person in the organization could access your personal vault. Should you lose your main password, the personal vault could not be recovered, only deleted and restarted from scratch. To date, not even the company administrator could help you regain access to your credentials.
This approach mirrors behavior in the Bitwarden Cloud for personal accounts. Bitwarden has no way to see your information as the vault contents are stored with a zero-knowledge encryption model. Should a Bitwarden individual user lose their Bitwarden password, there is no way for Bitwarden as a company to assist beyond deleting the account and restarting from square one.
Bitwarden supports a zero-knowledge encryption model, such that Bitwarden cannot see customer data, and personal vaults can remain personal if chosen, even from Organization administrators.
In the real world however, inevitably someone forgets their Vault password. Such is human nature.
As companies expand password management solutions for users, it sometimes makes more sense for Administrators to have the ability to reset user passwords and recover accounts than to wipe the account and start anew. We call this capability Account Recovery Administration (formerly Admin Password Reset) and it provides companies deploying Bitwarden an option for how they handle continuity of use with employees. For example, an employee might spend time setting up their Bitwarden account but within a few weeks forget their main Bitwarden password, triggering some frustration by having to delete their account and begin the process of populating their vault again. With this feature, that path can be changed to a password reset.
Coming soon, Bitwarden Enterprise customers will have an option to activate account recovery within their Organizations. This enterprise account recovery allows for continuity of use with a password manager, especially with the investment a company puts into onboarding and rollout.
At the same time, there are advantages in some organizations to not have the account recovery capability employed. In this mode, Organization administrators take a hands-off approach to personal vaults and end users are one hundred percent responsible to remember their main Bitwarden password.
Even better, Bitwarden allows the account recovery administration capability to be on, but not required. This lets users choose themselves. Do they prefer a scenario where the Administrator can reset their password, and also have visibility to their vault, or do they prefer a zero-knowledge approach with individual responsibility for their main Bitwarden password.
Since this is a new capability to Bitwarden, we want to detail our thinking on the implementation of this feature.
This new capability remains consistent with the Bitwarden zero-knowledge encryption model.
When the company sets a policy for account recovery administration, or an employee opts in, a public/private key exchange facilitates the option for an Administrator to reset a user password.
All other Bitwarden security frameworks remain in place.
This new feature will only be available on the current Enterprise plan
It will not be available in Teams or Family plans
This new feature will not be available for individual users in the Bitwarden Cloud or self-hosted environments
Account recovery is implemented as a Bitwarden Enterprise Policy
The policy is turned off by default
Turning on Bitwarden enterprise policies introduces additional options such as ‘automatic enrollment’ for new Organization members during the invitation acceptance flow
In order to understand the intended workflow of account recovery, let’s explore two scenarios.
Company A has Enterprise plan in use today
Existing users have been part of the Organization for the last 6 months
Many users have personal vaults
To date personal vaults have been 100% personal and everyone understands that they are not accessible by Company Administrators
Company A applies Account Recovery Administration Policy
If the policy is Enabled
Existing users will see no changes
Existing users will not be automatically enrolled
New and existing users have a new option underneath their Organization membership to enroll in account recovery if desired
Users will also have an option to withdraw from account recovery
If the policy is Enabled with Automatic Enrollment
Existing users will be unaffected
Admins will need to go and do an audit and have those users self-enroll
Existing users will be made aware that the policy includes provisions for Admins to reset your password and if they choose, potentially gain access to your vault
Existing users who do not accept the policy still remain within the Organization
The Organization member list will show via an icon who has currently enrolled in the policy
Admins can manually remind users to enroll in the policy
Admins can manually remove users from the Organization if they do not enroll
Depending on company rules, users who leave the Organization may keep their personal vault, change the email to a personal address, and then rejoin the Organization with a new Bitwarden account using a company email address
New users will be automatically enrolled as part of the invitation process
Company B completes a net new Enterprise deployment
Begins fresh without any existing users
Turns on account recovery
New users are invited to the Organization
When the user joins the Organization there will be a dialog during the invite accept process
If the policy is Enabled
Upon invitation acceptance users will have an option to enroll in account recovery
If the policy is Enabled with Automatic Enrollment
New users will be automatically enrolled as part of the invitation process
Which passwords can be changed?
The Account Recovery Administration policy only applies to the main Bitwarden master password. Administrators have no option to change other passwords within user vaults, such as passwords to third party sites.
What happens when Login with SSO is in place?
Bitwarden Login with SSO delegates authentication to the Identity Provider while retaining a Bitwarden password for decryption. The account recovery function only affects the Bitwarden master password, and does not affect passwords from the single sign on Identity Provider.
What happens with two-step login or two-factor authentication?
Any existing two-step login setup will not be changed. If an administrator resets the user’s Bitwarden password, any two-step login remains in place.
What are account takeover scenarios?
With access to reset a user’s Bitwarden password, an Administrator could gain access to the user vault if the user does not have two-step login enabled.
If an administrator resets a user’s Bitwarden password but two-step login is enabled, the administrator can lock the user out of their vault, but will not be able to log in directly as they will be stopped by two-step login.
If an administrator resets a user’s Bitwarden password and Force SSO authentication is enabled, the administrator will only be able to log in if they have the SSO credentials as well, usually requiring an email takeover.
Want to get started with your own Enterprise deployment? Start a free trial at bitwarden.com/pricing/business.
Looking for yourself? Create a Basic Free Account and get a fully featured password manager to help you stay secure.
Editor's Note: This article was originally written on May 27th, 2021 and was updated on July 18th, 2022. An additional update was made July 18th, 2023 to reflect the updated name of the account recovery administration policy.