I think people generally want to use and remember one password. I already have multiple organizations where I have password managers in use - ok I can reuse the same password for all those password manager accounts. However it’s damn annoying to re-login or even use the browser profiles. Those who would want to use the browser profiles should be allowed but that should not be a reason for not supporting quicker switching for those who don’t follow such tight organizational policies to separate the personal and organizational accounts with browser profiles. But I see it also as a risk if organizations make it too difficult to use for a normal user they probably going to store the organizational credentials on their personal account anyway because the users just gets bored to switching. And there is currently no setting to limit the email domains the user who is invited could login with? I mean limited to sign up to Bitwarden with the organisation email only that was used originally? This is one of the aspwcts where for example LastPass has failed.
The above said, I would considering implementing the multiple account support the following way:
- A user may register as any user (it’s no matter if they are first registered as for personal user by signing up or organisational member by invited by other)
- The user can add any number of email addresses to his/her/it’s account. Pretty nuch the same way github does it.
- The organizational memberships can be associated with one of the organizations a user belongs to.
- When user saves a new password they would chose the personal/or organisation account where the password is stored.
But now I have to also say that where Bitwarden is bad at. Think about a situation when a user is removed from an organisation because their contract ends, is terminated or the member’s account is suspected to be hacked or there is high risk of it e.g. lost device like lost laptop or mobile phone. Then what the organizations CIO wants to happen? To close all work related accounts the employee had or transfer the accesses to another person(s). Currently Bitwarden does not support that for those vault items that were not shared.
So I think it would make a lot of sense that if a user is removed from an organisation then they would loose all access to the vault items of that organization. Currently Bitwarden does not do that - it only removes access from the shared items. As for second additional feature, the organisation manager or someone in the organization IT management should able to be see where the organization members have created accounts to be aware of those - there could be a list by person and the event log could show whenever an organisation member had created access to a new system. In many organization they are not aware what accounts they have and where.
If Bitwarden would work like I described it would be actually jumping to a whole new level of business because instead of it being a password manager it would be organizational access management tool:
- you know where your organisation members have created accesses regardless if an organisation member have created it or its a shared password. Just a note I think creating shared credentials is usually a bad practice and many organization policies might disallow them.
- When you need to remove organisation members, you know you can take their access away from all the systems they had earlier access to and potentially transfer the access credentials to another person in the organization. Now you might say that it actually does not remove the access from the target systems but at least when an organisation has the list of places their member had registered, they could more easily then go every system and remove them manually or via API integration level.
What comes to the actual password policies (how long and complex passwords, what is their expiry/change frequency) and use two factor authentication could be also be set per organization basis and I don’t see a big conflict in that area as then the user just have to follow those policies even accessing their personal “space” in the password vault.