Big Tech companies have recently made headlines by pledging to move away from traditional passwords in favour of a more modern solution: passkeys. But for Anna Pobletts, the advent of passkeys is nothing new.
Two years ago, Pobletts co-founded and was CTO of Austin, Texas-based startup Passage, which focused on making the predecessor to passkeys, an API called WebAuthn, accessible to developers and businesses that were looking to implement passwordless authentication.
In only the second year of its existence, Passage caught the eye of another major player in the authentication space: 1Password, the password manager used by millions and one of Canada’s most valuable tech companies.
Over the past year, the Canadian company with “password” in its name has been explicit about its desire to build a future without them. Since joining the FIDO Alliance in June, 1Password has signalled that it’s all in on passkeys, and its acquisition of Passage in November marked a new step towards this vision.
1Password feels it is in a critical 18-month window to usher in passkeys, and Pobletts, now head of passwordless at 1Password, is at the forefront of this charge.
To understand how 1Password is approaching its passwordless future, it’s first important to understand passkeys. Tracing their roots to WebAuthn, passkeys enable users to log into apps or websites with just their username and pre-authenticated device, using a cryptographic token instead of a password or text message code.
“It’s not going to be like we implement passkeys, and then authentication is solved.”
— Anna Pobletts, 1Password
The FIDO Alliance, which includes 40 board-level members—including Amazon, Apple, Google, and 1Password—initially developed the standard behind passkeys. However, the implementation of this technology will vary between companies. 1Password, for example, is looking to implement “Universal Sign On;” what it hopes will be a more seamless and secure sign-in experience that utilizes passkeys, passwords, and other forms of authentication.
Those familiar with 1Password’s product might contemplate the distinction between a passkey and the company’s current “secret key,” which unlocks users’ password vaults. Pobletts explained that while passkeys and secret keys are both built on public key cryptography, passkeys don’t require a string of memorized letters and numbers. With passkeys, users only need a chosen authenticator—such as phone or PC—and the device will authenticate them using a face scan or fingerprint.
Passkeys have gained steam in recent months because of their ability to dance the line between security and usability. With a full 256 bits of entropy (a measure of the randomness of a data-generating function in cryptography), Pobletts said they’re far more resistant than phishing or cracking. They also leave out the hassle of multi-factor authentication. “I think it’s a combination of those two things that have actually made this the first time that replacing passwords really seems viable,” she added.
1Password already offers a demo showcasing what its implementation of passkeys will look like. Instead of filling in a password when signing up for a new account, users only need to enter their email and in one click, 1Password’s browser extension creates a unique passkey.
Angles of attack
As 1Password shifts to this new form of authentication, timing is everything. Tech giants like Apple, Google, and Microsoft all announced plans last year to implement passwordless sign-in across their platforms, which is why 1Password chief product officer Steve Won recently told TechRepublic the company is now in a “key 18-month window” in going passwordless.
“Over 80 percent of breaches in the last year or two were related to credential theft in some way. That’s crazy.”
Pobletts described the shift as an “evolving” endeavour for 1Password. “It’s not going to be like we implement passkeys, and then authentication is solved,” she added. However, 1Password has already made some moves and plans to launch more passwordless-related offerings in the coming months.
Pobletts said 1Password is tackling its passwordless evolution from several angles simultaneously. The first angle is about “eating your own dog food,” Pobletts said, which means making passkeys a way for users to log into 1Password itself, a feature the company plans to make available this summer.
Secondly, 1Password wants to help its current users transition to passkeys, which means adding more features to help customers store, manage and create their passkeys in the company’s existing password manager. The company is also exploring ways for users to export passkeys to other password managers.
1Password is also looking to help developers build passkey support into their apps and websites, since most services are still far off from accepting passkeys. Since joining 1Password in November, the Passage team has been focused on developing passkey-first authentication for consumer-facing businesses, such as e-commerce stores or booking websites, to set passwordless adoption in motion.
In recent months, 1Password has made a few other moves related to going passwordless. Since launching its universal sign-on in beta last June, the company has made “unlock with single sign-on” available for enterprise customers using Okta, with Azure AD and Duo to follow in the coming months. Pobletts called this move a “good first step towards passwordless.”
“We absolutely want to do more things in that direction; giving people not only Okta support for logging in, but also passkey support for logging in,” she added.
Tearing down the walled garden
1Password’s timeline to passwordless is being fuelled, in part, by the growing sophistication and increased threat of security breaches. One report from HackerOne found that ethical hackers were able to discover over 65,000 software vulnerabilities in 2022 alone, up by 21 percent from 2021.
Another study pointed to more than 4,100 publicly disclosed data breaches that took place in 2022, exposing a total of 22 billion records. Some of these breaches have impacted organizations in 1Password’s domain, such as American password manager LastPass, which was impacted by a data breach last year that saw hackers access the company’s encrypted password vaults.
“I think now we are at a really important turning point,” Pobletts said. “Over 80 percent of breaches in the last year or two were related to credential theft in some way. That’s crazy.”
Another factor driving 1Password’s shift to passwordless is competition, as both Big Tech companies and competitor password managers like NordPass and DashLane are all working to implement passkeys. Pobletts emphasized that 1Password has collaborated closely with its Big Tech counterparts through the FIDO Alliance over the last year. Still, she believes 1Password is “very uniquely positioned” to ensure that users have a choice in how they manage their online identities.
Google, Microsoft, and Apple have taken a more conciliatory approach than usual in order to expand the FIDO standard. However, at an individual level, each company is independently working to incorporate passkeys into their own ecosystems. If its implementation of passkeys is successful, 1Password could, unlike its competitors, provide ecosystem-agnostic passkey portability, without requiring users to swear passkey fealty to one cloud provider.
“I have a MacBook and I have an Android phone, so I use a variety of different platforms in my day-to-day life, and using a tool like 1Password to store my passkeys makes that way easier,” Pobletts said. “I don’t have to worry about which device my passkey is on my 1Password is on every device I own.”
But for a company with “password” in its name, it’s natural to question how this new paradigm will influence 1Password’s core value proposition. CEO Jeff Shiner told BetaKit last year that he believes traditional passwords aren’t going away anytime soon, and that 1Password’s core focus on authentication management is very much needed, regardless of the form that authentication takes. It’s a sentiment that Pobletts shares, though she envisions passwords becoming a “smaller section” of the authentication puzzle going forward.
“The core mission and value of 1Password has always been focused on just making it easier for people to be secure online, despite the name, which I’m sure garners a lot of jokes,” Pobletts added. “It’s not really about passwords. Specifically, it’s about whatever that technology needs to be to make security easier and more human-centric online.”
Image source 1Password.