Purpose

This policy outlines how Catalyst staff must use 1Password to manage account credentials and two-factor authentication (2FA). It is built with consistency, security, and maintaining team-wide access in mind.

General principles

• All Catalyst-related credentials (logins, passwords, and 2FA) must be stored and managed through 1Password.
• Personal phones or email addresses must never be used for Catalyst 2FA or backup access.
• Where appropriate, login details should be stored in an appropriate shared vault to prevent workflow disruptions.

How we use vaults in 1Password

Different vault and their use

• Directors Vault
  • Stores all passwords that need to be accessible by everyone in the Catalyst team.
  • Examples: shared email logins, shared tools with only 1 login.
• Catalyst Shared Vault (Contractors)
  • For login details that external contractors or third parties (e.g. comms team, collaborators) may also need access to.
  • Use this when a tool or platform is shared beyond the Catalyst team.
• Employee Vaults (Private to each user)
  • For logins that are only needed by an individual user.
  • If there's a chance someone else might need access (e.g., backup admin), it belongs in the Directors Vault.
• Team-specific vaults (Optional)
  • If multiple credentials fall under the same theme (e.g., finance, HR), a dedicated vault can be proposed to help keep things organised.
• Avoid duplicate entries across vaults. Only save a login once, making sure it’s saved in the correct vault.

Account setup guidelines

• Setting up your 1Password account:
  • The only password 1Password cannot store for you is your master password to access 1Password. Make sure you choose a secure password. Keep this password safe, as gaining access to your 1Password account means gaining access to all your other accounts.
  • Keep your master password safe, and do not share it with anyone.
  • As a reasonable adjustment, you may save your 1Password master password in another password manager you may use outside of your work with Catalyst. However, you must not ever save any other passwords used for your work with Catalyst in password managers except for the 1Password account set up for you by Catalyst. Please speak to your direct supervisor if you’d like to request this reasonable adjustment to discuss the details.
  • Once you set up your 1Password account, it is your responsibility to save your 1Password Emergency Kit into your Catalyst Google Drive account, should you need to refer to it in the future (e.g. when setting up 1Password on a new device).
• All new Catalyst accounts must:
  • Be created with strong, unique passwords generated by 1Password and stored directly in 1Password.
  • Catalyst login details must not be stored anywhere outside of 1Password.
  • If an account needs 2FA protection, 2FA must be enabled using 1Password’s built-in code generator.
  • Use a Catalyst-owned email ([email protected]) for backup or recovery. Never use personal email addresses or phone numbers as backups for any Catalyst accounts, regardless of whether the account is shared or for one’s own use only.
• 2FA setup:
  • Always use 1Password's authenticator, not SMS to personal phones.
  • Set [email protected] as the recovery email for all accounts you set up.
  • Follow this guide to set up 2FA codes using 1Password.