1Password Chief Product Officer Steve Won tells all about the password manager’s move to passkeys, abolishing passwords in our lifetime, and the importance of making a good first impression for all.
Imagine a future where passwords are no longer the norm. Forget trying to whip up a jumble of letters, numbers, and symbols for every online account you use, only to forget it inevitably; all you need is your face, fingerprint, or simple PIN to secure your account.
Well, that future is virtually already here, and 1Password is among the first to lead the charge. With its Passkey Unlock feature now available to new users, passkeys are taking the legwork out of creating new passwords or trying to remember a complicated phrase.
Not only is this passwordless verification easy to use, but it also keeps phishing attacks at bay and is a lot harder to crack than usual passwords. In fact, it provides even more protection than 1Password’s Secret Key – a unique code only users can access.
Hold on. Doesn’t abolishing passwords go against everything a password company stands for? Quite the opposite: “Our goal hasn’t been secure passwords. Our number one job is ‘how do we make security easy,'” says 1Password CPO Steve Won.
Won has been a user of 1Password since 2008, going on to become the Chief Product Officer of the password manager company. Needless to say, he’s a whizz at keeping accounts secure, and he believes passkeys are “the next chapter in authentication on the web.”
With 1Password’s Passkey Unlock set to be available to all this summer, Won talks to us about the true value of passkeys and when passwords may no longer be a thing.
Saying goodbye to passwords
There’s no doubt that passwords have been a tremendous aid in fighting against security breaches of all kinds, but, put simply, things change. As our need for ease on all things tech grows, passwords become quite the opposite. Won elaborates:
“Passwords are insanely hard! I always joke about the fact that, when I first started using 1Password, I had six items in there. Over the holidays, I had a bunch of Raspberry Pis I was setting up; now, I have over 1,600 items. I feel like that’s indicative of how we experience existing in our digital lives nowadays.”
Won brings up an interview in WSJ with journalist Joanna Stern about how a criminal breaks into iPhones and how the first thing he does is open the Notes app, as that’s where people put their passwords. That’s how easy it is for threat actors to get your keys to the kingdom.
“Password managers have existed for more than 20 years, but at a certain point, a majority of folks aren’t necessarily going to adopt a password manager,” Won states. “However, passkeys are this rare opportunity where security is there by default. You get to do a thing that you already do 60 times a day, which is unlocking your phone with your face or fingerprint.
“With passwords, multi-factor authentication, and those SMS messages that you get, we’ve added friction to make it harder for people, and we’re doing a worse job as an industry, as people are getting hacked more often.”
Unfortunately, cybercrimes, such as phishing and malware attacks, aren’t getting any better. As 1Password reports, 67% of respondents surveyed received phishing attack messages in the past year, while 100% either received phishing messages or know someone who did. With an estimated 3.4 billion phishing emails being sent on a daily basis, that’s hardly a surprise.
“So we saw passkeys as this really unique opportunity. It’s an easier experience, which is going to make it easier for folks to adopt by default and be more comfortable with, and it takes away anything to steal. We saw this, and we were like, man, as the premiere password manager, how controversial and daring would it be for us to be the best experience for multi-platform users of passkeys?”
As Won previously states, 1Password isn’t necessarily about passwords; it’s about keeping users secure. Clearly, though, it says a lot about passkeys if this password manager is willing to go from “1Password” to “0Password.” That said, genuinely waving goodbye to passwords is still a while away.
“I’m not naive enough to think that passwords are going to disappear magically in like two to three years. We’re going to have passwords for about 20 years, but if a majority of what you and I and our partners experience on the web is mostly through passkeys, then that will be a huge win.”
When 1Password first started back in 2006, security was all about passwords. Since then, there’s been multi-factor authentication, social logins for social media, PINs, etc. Like anything else in the tech industry, security evolves, and passkeys are the next step in that chapter.
“There’s going to be fewer phishing attacks because there’s nothing to steal, and there’s going to be fewer breach notices,” Won says. “Even if half of what exists on the web uses passkeys, like your bank account, credit card, and your Gmail, that alone would reduce your surface area of attacks significantly, which is all we’re trying to do in the security industry.”
He continues: “We want to make sure people have the best first impression of passkeys because if people have a bad first experience with it, we’re not going to get over that press for adoption.”
As a push to support a passwordless future created by the FIDO Alliance (Fast IDentity Online, something Won is part of) and the World Wide Web Consortium, Google, Apple, and Microsoft are implementing this form of security onto their platforms as a secure alternative to passwords. But they aren’t the only ones making this bet.
“You can probably name the top 50 apps people use, like TikTok, Gmail, Amazon, Microsoft Outlook and more. They all had passkey support over the last 12 or 15 months.”
So, how are these first impressions? Since 1Password’s Passkey Unlock public beta, it has surpassed 700,000 passkeys created, over 334,000 users trying out passkeys, and over 100 signups, meaning more than 100 registered websites, apps, and services offer passkey support. That includes Amazon and WhatsApp rolling out passkey support in October 2023.
That’s a significantly better place compared to a few years ago, as tech wasn’t ready for passkeys to be adopted smoothly.
Passing the keys forward
As Won explains, passkeys wouldn’t have happened without two significant factors. The two biggest predicates to allow passkeys to happen are TPMs (trust platform modules), with Skylake being one of the first being baked into Intel motherboards, and biometric authentication, with Apple introducing Touch ID in the iPhone 5S. And yes, that came out over a decade ago, in 2013.
“You literally can’t buy a laptop without a fingerprint or a face sensor. That combination of TPM and biometrics, those two things allows passkeys to work. If those two things didn’t exist, we wouldn’t have a secure way to store a secret that we know is tamper-proof and was bound to that device. If biometrics didn’t exist, we would ironically be in a situation where everybody has to create yet another password.”
Won goes on to explain that software and hardware trends run the ecosystem to make a better experience. In a way, passkeys were inevitable, as the devices we see today (especially at CES) are lining themselves up to be the perfect companions for the passwordless form of security.
“The precursor to passkeys was WebAuthn, which we rolled out in 2016, and we had some cool demos,” Won continues. “I remember doing a demo with Intel, showing how it worked. The question was, ‘yeah, but how many devices is this going to work on?’ I’d say the answer was probably around 5%. But now, we can say that 100% of devices sold in the last three years use passkeys.”
“People are going to come for the experience, not necessarily for the security, because it’s going to be much more damn convenient.”
Prepare to embrace passkeys, as they may already be knocking at your door. For more about how you can make a 1Password account using a passkey and the best password managers on the market, we’ve got you covered.