1Password CEO on why good online security doesn’t have to be complicated

The challenge for companies selling password managers has historically been getting people to accept how bad humans are at creating and remembering passwords. Now these companies face an evolved version of that challenge: convincing people not to rely on password-manager apps from one of the giant tech companies they already spend so much time with, starting with Apple and Google.

One of the companies that’s been toiling longer than most to heal password hell, 1Password, has been working this new problem both by pitching itself as an alternative to getting further locked into Apple and Google’s ecosystems and by branching into security and identity services for businesses.

Speaking between panels at the Collision conference in Toronto, CEO Jeff Shiner says he isn’t worried about competing with those two, even after Apple’s unveiling of a Passwords app for iOS, iPadOS, macOS and Windows at WWDC earlier in June.

Competing with the big two

“As much as I would love to be able to influence billions of people, it’s really the small group of platform players—the Apples, the Microsofts, the Googles—that can influence billions of people,” he says. “And anytime they are influencing billions of people to have better security hygiene, it’s always been positive for us.”

Shiner recalls that 1Password’s business doubled “virtually overnight” after Apple announced its iCloud Keychain password manager in 2013. The Toronto firm, unlike such competitors as Bitwarden, does not offer a free tier, instead charging subscription fees: $35.88 a year for an individual account, $59.88 for a family account covering up to five members.

A survey conducted by Security.org and published last September found that 8% of respondents reported using 1Password as their primary password manager–putting it in fourth place after Google (30%), Apple (19%) and LastPass (10%).

But 1Password has also been building out a business among businesses that need help managing security for their employees—not just password management, but a suite of “extended access management” security services.

“From a revenue perspective, the vast majority of it is B2B,” Shiner says of the company’s business these days.

But that, too, can get 1Password into the hands of more people as part of what Shiner calls a “protecting the human being” strategy in which every corporate user gets a free 1Password family account.

“We have to do that at work and at home,” he says, pointing out that people are unlikely to firewall bad password habits inside their abodes: “If I’m going to use ‘fluffycat’ at home, what am I going to bring into work?”

The rise of hybrid work schedules after many failed attempts by employers to force a full-time return to office has only made that work-versus-home boundary more porous. Shiner says 1Password’s own history allows it to benefit from learned experience: “We’ve been remote from day one, so we had an easier time than most.”

Passkey pains

1Password has also tried to set itself apart from competitors with its aggressive support for passkey authentication, in which you log in to a site by having a device send an encrypted signal to that site after you authenticate it via biometric security.

But confusion persists about how they work and why you’d want to use one. Shiner suggests that passkeys’ ease of use has people thinking there must be a catch: “People still have this belief that in order for something to be secure, it must be difficult.”

It doesn’t help that the rollout of passkey authentication remains weirdly uneven; for example, Hyatt offers it while Marriott does not, and British Airways’ addition of that option has yet to be matched by any of the largest U.S. airlines.

Admitting that we’re “now about a year behind where I expected it to be,” Shiner still expects that competitive pressure will drive more companies to streamline their sign-in experiences with passkeys.

“The companies that support passkeys fairly quickly recognized that they’re removing a significant area of friction,” he says. “And then it will start to transition into the companies that don’t have it will have a competitive disadvantage.

AI will hurt—but might also help

Passkeys also offer the security upgrade of being phishing-proof: Like USB security keys, they only work on the correct domain. And Shiner, like many people in information security, expects that generative artificial intelligence will make the phishing problem much worse.

“It does content with context,” he warns. And with AI, the context can be a convincing con.

“They can start talking about things that are important to me, that matter to me. Perhaps even seemingly from people that similarly matter to me,” he says. “That can make it exceedingly difficult for a human being to understand the differences between the real world and a machine.”

He does not share the same optimism as other “infosec” types that gen AI can provide a boost to security.

1Password does use machine-learning models in limited roles, such as identifying username and password fields on individual sites, but Shiner notes that the company can’t train these models as fast than others because doing real-time tracking of people’s sign-in activity would compromise the entire security basis of its software.

“We can’t be training that model on live data, so we’ve trained that ourselves,” he says.

Asked where else AI might be able to add some value, Shiner pointed to the Watchtower feature that 1Password added in 2018—which checks saved logins for weak passwords, duplicate passwords or those that have already been exposed in data breaches.

But sometimes, Watchtower can expose an intimidating number of insecure passwords: “People can get overwhelmed and say, I’ll strengthen that later,” he says.

A well-trained AI model could identify accounts with the most potential exposure of somebody’s identity, communication or finances and tell people to fix those logins first.

“We can start to show you, hey, these are the three most important ones to you,” Shiner says. “You can get going, and you can take it a step at a time.”