SAN FRANCISCO -- It might seem odd for one of the largest password managers to embrace the burgeoning shift to passwordless authentication, but that's exactly what Jeff Shiner's company is doing.
Shiner, CEO of 1Password, and Anna Pobletts, head of passwordless, spoke with TechTarget Editorial during RSA Conference 2023 to the challenges of passwordless adoption.
Cybersecurity vendors and experts have long pushed MFA to reduce the risk of stolen credentials. But now the focus has shifted to passwordless authentication. Passkeys play a significant role in the transition to eliminate the need for the usernames and passwords attackers target to compromise enterprise environments.
New research by 1Password showed 75% of users are willing to adopt the technology. As the next step, 1Password developed a tool to save and manage all passkeys in its platform, which will be released in beta stages beginning in June. Shiner and Pobletts discussed the move to passwordless authentication, the threat of generative AI attacks, and the impact of the LastPass breaches on the market.
Editor's note: This interview was edited for clarity and length.
Can you walk through the evolution of passkeys?
Jeff Shiner: First there were passwords and usernames, then came active directories (AD), and AD was going to solve the world's problems. Then all of a sudden, companies had 50 ADs, so single sign-on [SSO] providers came along and did a couple things that were really smart. They said, 'Hey, we can be your AD, but we can also be a view overall of your ADs if you have multiple ones.' We had passwords, AD and SSO, and then came along the social SSO -- sign in with Google, Facebook. That was, again, going to solve the problem. Then there were weird things like one-time passwords and weird magic links where they would send a six-digit code to your email. We've always been searching for a solution. The challenge is, we need one that is usable and secure. That's what passkeys offer.
Anna Pobletts: Passkeys in their current form were just announced a year ago. There have been a lot of big companies that have deployed passkeys in that time, like Shopify, Ebay, Best Buy and Kayak.
How can passkeys protect against ransomware and phishing attacks?
Shiner: The wonderful thing about passkeys is, if you have no password, there is nothing for threat actors to phish. You take away that entire target. I think we can try and fight phishing from a standpoint where we defend against it. But I think what we really must do is make it so there's no target to go after. We read the Verizon DBIR [Data Breach Investigations Report] report, which said 82% of breaches have a human element. We don't do nearly enough on the human side. Let's be honest, we suck at security, but we want it to be easy.
Pobletts: There's problems where a website can be breached and they're storing all your password hashes. But I think the core of it is at the human level. We're making security hard for you in the world of passwords. It's on you to think of passwords and not reuse them. With passkeys, that's not the case. There's no room for me, as a human, to mess anything up.
The way we currently protect against phishing is more awareness and more training. But with AI coming out, phishing scams are getting more complex, and it's easy to trick people.
What are the challenges of transitioning to passkeys? Is passwordless authentication attainable?
Shiner: It's always a worry that if it's too easy, then people won't believe it's secure. It was interesting to see that 75% of people are willing to use passkeys, but reaching passwordless adoption will take a number of years. We're still going to be in a hybrid environment for years to come, but it's got a legitimate shot. And not just a shot -- I think it's going to happen given the support of the platforms and companies like ours that are on board. The platforms will be the bullhorn. If Gmail and YouTube come along and say your account is passwordless, you're going to grab billions of users quickly.
Are you concerned your platform could be vulnerable to generative AI attacks?
Shiner: We hold encrypted blobs of data, so there's no data there that's of value, even to ourselves. We have no ability to decrypt that data. It makes us less of a target. What happens if six months from now, there's a Zoom call and it looks like me, sounds like me? It would be so easy to fool people. We must remove the reward at the end.
Shiner: I think passwordless can remove the need for MFA. In today's world, MFA is very important. But my worry is that people have become too blasé. If you look at cookie consent forms, the first few times a couple years ago, you'd look and say, 'What cookies do I want?' Now, you just click ok. We must be careful that it doesn't become blasé, where I get sent a six-digit code and I follow the link. There's a number of those where I think we can avoid those attack vectors which are, by and large, human attack vectors. There's nothing wrong with the technology. As humans, we're going to be lazy at times, and passkeys help.
The LastPass breach occurred only a few months ago. Has it changed anything in the industry? What makes 1Password stand out from other password managers?
Shiner: I'll put it this way: We had a record quarter. The Secret Key feature, which generates a 128-bit code, is what I call a meaningful difference. In 2014, when we were building a software-as-a-service app, I wanted to accomplish two things. If our data was ever taken, we could tell our customers your data is still protected. Second, make that as public as possible, so we don't become a target. The fact that we were a consumer application in the beginning was also important. The more we can make it simple for the end user, the more it will be adopted.
How did the rapid move to hybrid work with interconnected personal and work devices affect authentication needs?
Shiner: That's an interesting change over the past couple of years for 1Password. Ten to 15 years ago, I like to say software was sold on golf courses. You'd have a salesperson, and they'd bring it in and consultants would implement it. Therefore, the IT department knew about it. Now software is all brought in from humans on the edge, and the poor IT department is struggling to keep up. Things like shadow IT have become an issue. To your point, work and personal has mixed, and that adds a whole other risk to the business. But what is the commonality in that? The human. If we can protect the human, we can protect the business.
Arielle Waldman is a Boston-based reporter covering enterprise security news.