May 30, 2023 - Technology

Inside 1Password's plans to ditch the password

Illustration of a briefcase with a binary code combination lock with ones and and zeroes for options.

Illustration: Brendan Lynch/Axios

One of the most popular password security tools for consumers is getting ready for the inevitable: a world without passwords.

Driving the news: Next week, 1Password will start beta testing an expansion of its touchstone password manager that allows the tool to store passkeys.

  • Passkeys are basically a more secure replacement for phrase-based passwords. They often require facial recognition, touch ID or a hardware security key to log in to an online account.
  • I spent the last three weeks testing out 1Password's new passkey manager capabilities, and with it, logging in to different websites has been a far faster and easier user experience.

The big picture: Malicious hackers have increasingly relied on stolen passwords to launch attacks in recent years.

  • Most people typically reuse their passwords across accounts, making it easier for hackers to break into multiple accounts after finding just one leaked on the dark web. And cybercriminal groups have created a whole ecosystem online where they sell the stolen passwords they obtain during attacks.
  • In 2022, nearly three in 10 ransomware attacks started with attackers using a stolen password, according to Sophos' "State of Ransomware" report.

Between the lines: 1Password recognizes that its business model — providing a better way for people to create and store their passwords — will be upended as passwords become a thing of the past.

  • The company acquired Passage, an Austin, Texas-based startup that helps businesses support passkeys on their websites, last fall to jumpstart its next phase.
  • Now, 1Password's expansion of its password manager will help users transfer their device-based passkeys across multiple computers, phones and tablets.

What they're saying: "It's just become almost frustrating for people to remember how I signed in last time," Jeff Shiner, CEO of 1Password, told Axios.

How it works: Using 1Password's new passkey manager was seamless and simple.

  • I tested the Chrome browser extension that 1Password will start beta testing next week — but the test was available on only a handful of websites that support passkey logins, such as Google and Kayak.
  • Saving an account's passkey is similar to saving a password — when a user creates a passkey for its account, the 1Password browser extension will prompt the user to save the key in the manager.
  • After saving a passkey for the website, 1Password will then start to fill out the information for the user.
  • But ensuring my own devices were set up for passkeys took a fair bit of technical know-how. I struggled to set up a passkey for a test Gmail account until I realized my MacOS system didn't have the "iCloud keychain" feature turned on.

Zoom out: 1Password's new tool comes as Google, Microsoft and Apple have started supporting passkeys on their own operating systems.

The intrigue: Passkeys are considered more secure than traditional passwords since it would require a hacker having access to both the public key stored with the business and the cryptographic key created by and stored on a user's device.

  • 1Password's extension will let users carry that cryptographic key between devices.

Yes, but: Passkeys are far away from universal adoption.

  • Only a handful of websites support logging in with facial recognition and biometrics, let alone have the ability to store accounts' encrypted passkey information on their own servers.
  • 1Password suspects it can move out of beta testing once Android and iOS support for passkeys becomes universal, Steve Won, chief product officer at 1Password, told Axios.

What's next: Starting this summer, 1Password is aiming to roll out capabilities to let users replace all of their stored passwords with passkeys, Won said.

  • "What better way to show our commitment to passkeys than getting rid of the password in 1Password," he added.

Sign up for Axios’ cybersecurity newsletter Codebook here

Go deeper