Can I segment my vault with primary and secondary passwords?

Recently the “Master password reprompt” feature was released, and while it’s useful the docco says mostly cosmetic rather than actually adding an extra layer of cryptographic security.

I would like to have my vault segmented into things that require a master password entry to view/fill, and ones that can be accessed with a secondary password and/or biometrics. Master password can unlock and edit the whole vault, secondary can only unlock and edit a subset (e.g. vault minus bank/email credentials and SSH private keys).

I understand that I could create an organisation for myself, make collections for these segmented “vaults”, have two accounts for myself in that organisation and only share certain credentials with each one but I feel like this is clunky for a few reasons:

  • I have to have two accounts logged in on all my devices and switch between which one is primed
  • I can get sync issues where the secondary account creates a login for that local account, rather than adding to the organisation collections
  • I have to manage an “organisation” which is actually just myself
  • I need an email address for each account
  • I need to pay for multiple premium subscriptions to make each account full featured

I’ve seen that “Client profiles” are a roadmap item, but I can’t find much documentation of what it will look like or whether it will be relevant here.

I understand that crypto sec is difficult stuff, and it’s not exactly simple to have two keys that can operate different aspects of the same vault, not to mention integrating with the autofill capabilities of devices like browser plugins or phone stuff. I understand the feature might not exist or is not very feasible, but has anyone else tried to get this to work, and is there just an “oh yeah do this” that solves the things I’m after?


1 Like

As I understand it, you want to segment secrets into two collections. One of a low security level (requiring a single factor of authentication, and a higher security level, requiring an additional factor).

I am after the same thing. My use case is to be able to unlock less sensitive secrets in a less secure environment (for example, on the metro where there are security cameras everywhere), while waiting till im in a more secure environment/machine to unlock highly sensitive secrets.

My current solution is to use two password managers, and split highly sensitive secrets between the two systems. For example, storing the account password in system1 and the 2fa key in system2. Splitting across multiple password managers also protects again supply chain attacks / bugs / insider threats that could compromise a single password manager.

But ideally something like this would be supported natively.
I’m also interested to know what solutions others have come up with.