our company uses enterprise sso with trusted devices.
So, our users which are not admins of the org do not have a master password.
If I’m not mistaken, in case of a device compromise (malware infection, device loss, etc.) the recommended thing to do is to rotate the account encryption key.
Even more if that device is a trusted one, I guess…
I was told that, as of now, there is no way to rotate the account encryption key if the account uses enterprise sso and has no master password.
The only way to ensure that a compromised trusted device will not be able to access the account is to delete that account and create a new one.
Having to repeat all the tasks related to onboarding that account to the enterprise organization.
Plus all the exporting and importing of the account’s vault data.
This last bit means losing metadata associated witl all items. And if the account has several attachments, this can translate to a significant amount of work, downloading and re-uploading all of them.
