Vault handover: stop credentials from walking out the door with a departing employee
Shared logins only one person knew, API keys stored in their personal vault, 2FA tokens tied to their private phone. Here's how to prevent those "oh no" moments.
The classic offboarding nightmare: someone leaves, and a week later you discover they were the only person who knew the password for the company account on service X. They're not picking up. Problem.
Prevention at three levels
- No personal vaults for business credentials. Anything work-related goes into a shared vault (team or vault system). Personal 1Password accounts are for private use.
- At least 2 people per critical credential. See privileged access — make sure at least 2 people hold admin rights.
- No 2FA tied to a personal phone. Use shared-token solutions (1Password TOTP, Keeper) or company hardware tokens.
During the offboarding itself
- Create a list: which vault items will be lost when this person leaves? Those need to be handed over.
- For each item: explicit handover to a successor, followed immediately by a password change (just to be safe).
- 2FA tokens: re-issue or migrate to a shared/team system.
- Log entry with date and items.
After the offboarding
Review during the next quarter: are there any credentials we're still stumbling across that are missing? You'll usually find 1–2 more "oh, and this one too" moments within a month.
See also: shared password management, offboarding pillar.
Volledige gids: Offboarding hermético en 12 pasos
Dit artikel is onderdeel van onze uitgebreide Offboarding-gids. Lees de pillar voor het complete plaatje.
Lees de pillar →