1Password wants to ditch passwords without locking you in to one platform
When Apple and Google announced their passwordless login systems earlier this year, they glossed over one major problem: By relying on either company to eliminate passwords, you’re effectively locking yourself into their respective platforms.
Now 1Password is coming out with a different approach that lets you ditch passwords without pledging allegiance to any particular tech giant. The company’s passwordless system, which replaces traditional passwords with simpler and more secure “passkeys,” is launching early next year, and it’ll work across iOS, Android, Windows, Mac, Chrome OS, and Linux. 1Password users can check out a live demo.
1Password is also announcing that its chief experience officer, Matt Davey, has joined the board of the FIDO (Fast Identity Online) Alliance, the industry standards group that’s pushing passwordless logins in tandem with the tech giants. With a seat at the table, 1Password wants to make sure that security doesn’t just become another form of lock-in.
“This is our opportunity to be the cross-platform standard-bearer,” says Steve Won, 1Password’s chief product officer. “The platforms aren’t really going to solve this by themselves.”
1Password’s passwordless plan
In 1Password’s new demo, logging into websites without a password is as simple as entering an email and clicking a button. Instead of making users fill out a password, 1Password’s browser extension generates a hidden “passkey,” which in turn pairs with a separate key stored by the website. This unique pairing proves the user’s identity without transmitting the passkey itself.
Compared to traditional passwords, this system is both simpler and more secure. The user doesn’t have to worry about generating unique passwords, and the website doesn’t have to store passwords and risk losing them in a security breach.
While both Apple and Google have now built similar systems directly into iOS and Android, respectively, 1Password’s alternative doesn’t give up the trappings of a traditional password manager. Users can still share logins with family members or coworkers, organize logins using tags, and—most importantly—access their accounts from any device that 1Password supports.
By contrast, Apple’s and Google’s systems are largely tied to their respective platforms. While you can easily sync passkeys between an iPhone and a Mac, for instance, you can access those same accounts on a Windows PC only by scanning QR codes one at a time.
That’s a bad experience for users, Won argues, and it risks turning people off passwordless systems entirely.
“I don’t want to miss this window,” he says. “I think we have this golden window to kill the password, and I think if the first experiences that people have are bad—you know how hard it is to get people to adopt new security products.”
Andrew Shikiar, the FIDO Alliance’s executive director, says the group’s intention has never been to lock users in, but it aligned itself closely with tech giants at the outset to help get the passwordless concept off the ground.
“It makes sense to start with the people that are creating operating systems and devices that are sitting in people’s hands,” he says. “There’s a huge dependence on these operating systems allowing for this secure syncing of the FIDO private key.”
Exporting passkeys elsewhere
It’s early days, but 1Password is also investigating ways to export passkeys to other password managers. Mitchell Cohen, a product lead at 1Password, noted during a demo that it would be technically possible for users to download their passkeys to a spreadsheet, then upload them into another password manager. That’s already how it works today if you want to move from one password manager to another.
Whether this approach will actually materialize with passkeys is less clear. Won mentioned that we may see some kind of secure framework for moving passkeys around instead, but either way the company’s intent isn’t to use passkeys as a lock-in mechanism.
“People need to be in control of their keys,” Won says. “That’s what we believe. We’re not trying to create a walled garden around our customers.”
Passwordless problems
Still, 1Password’s promise of interoperability will also come with a trade-off: Its system just won’t work as seamlessly as those built into iOS and Android.
Apple, for instance, offers a one-tap “Sign in with Apple” mechanism on iOS that generates a passkey seamlessly in supported apps. No such mechanism exists for third-party password managers. Even with traditional passwords, signing into a new app requires opening the password manager, creating a new login, then proceeding through the app’s standard sign-up flow. It’s a clunkier process that will surely funnel more users toward Apple’s locked-down system.
This helps explain why 1Password joined the FIDO Alliance earlier this year and now has representation on its board. By having more influence, the company hopes to put third-party password managers on more equal footing.
“As Apple was announcing passkeys, and as we were looking through the developer documents and seeing that, frankly, the initial implementation was closed, we saw an opportunity where we can actually help Apple, help Microsoft, help Android with passkey options by making it easy for folks to interoperate,” Won says.
The company also has a trump card, of sorts, in its recent acquisition of Passage, which helps apps and websites develop their own support for passwordless systems. That acquisition makes 1Password directly responsible for getting passwordless adoption off the ground.
“You really need websites to have an easy way to add this,” says Anna Pobletts, Passage’s cofounder, who is now the head of passwordless at 1Password. “Otherwise, it’s going to take years.”
What all this ultimately means is a bit murky. One potential scenario is that 1Password finds a way to work itself directly into the sign-up flow on apps and websites via the tools that Passage offers. As a major driver of passkey support among apps and websites, it could also use its influence to push for more interoperability at the platform level so that users can more easily choose 1Password instead of Apple or Google.
“I feel like we have long-term commitment from the platforms to make that possible, but we’ve got to make our own future,” Won says.
Shikiar reiterates that while the FIDO Alliance is intent on giving users control over their passkeys, it’s wary of doing so in a way that would jeopardize security.
“It will happen,” he says. “It just takes some time and deliberation and trial and error to get to the point where we have the fully pluggable, interoperable passkey ecosystem that we all desire.”
(23)