Song_about_summer/Adobe
Stock
1Password
Chief
Product
Officer
Steve
Won
says
credentials
theft
is
ubiquitous
and
getting
worse.
LastPass
can
vouch
for
that;
in
a
dark
irony,
in
December
2022
a
threat
actor
stole
the
credentials
of
a
LastPass
DevOps
engineer,
granting
them
access
to
an
unencrypted
vault.
Jump
to:
Won
sees
this
trend
continuing,
noting
that
IBM’s
2022
report
on
the
cost
of
data
breaches
pointed
to
compromised
credentials
as
the
leading
attack
vector.
The
report
also
found
that
stolen
credentials
accounted
for
19%
of
breaches,
costing
organizations
on
average
$4.5
million,
or
$150,000
more
than
the
average
cost
per
company
of
a
data
breach.
Chief
People
Officer,
Steve
Won
TechRepublic
interviewed
Won
about
credential
vulnerabilities,
encrypted
keys,
vaults,
and
where
it’s
all
heading
(this
transcript
has
been
edited
for
brevity).
The
1-2-3
rule
to
avoid
credential
theft
Karl
Greenberg:
How
significant
a
threat
is
credential
theft
today?
Steve
Won:
Frankly,
phishing
for
credentials
is
the
easiest
vector
of
attack.
Especially
in
the
past
12
to
18
months,
replaying
MFA
(multi-factor
authentication)
attacks
and
OTP
(one-time
password)
codes
from
banks
has
become
easier
and
easier
for
attackers.
Karl
Greenberg:
How
do
password
managers
protect
against
this,
or
what
happened
to
LastPass?
Steve
Won:
At
1Password,
we
have
a
zero-knowledge
system,
processing
as
much
locally
at
the
client
as
possible,
not
storing
information
in
an
unencrypted
state
anywhere.
The
client,
locally
on
your
device,
is
doing
decryption.
On
top
of
that,
we
have
a
secret
key
model
where,
in
addition
to
a
password,
or
a
biometric,
you
get
a
machine-generated
unique
code
at
the
time
of
enrollment
of
which
we
have
zero
knowledge.
SEE:
Unphishable
mobile
MFA
through
hardware
keys
(TechRepublic)
Karl
Greenberg:
So
the
key
aspect
of
security
is
zero
knowledge
on
the
part
of
the
password
manager?
Steve
Won:
The
combination
of
zero
knowledge
and
making
sure
we
are
only
seeing
encrypted
information
on
our
side
and
a
generated
secret
key
creates
defensive
depth.
If
we
are
targeted,
your
information
is
secure.
With
the
principal
document
we
share
with
subscribers
at
enrollment,
we
recommend
a
1-2-3
rule
with
backup:
locally,
cloud
and
[a]
physical
separate
device,
so
the
same
for
backing
up
a
secret
key.
Reducing
threat
through
less
memorization,
zero
knowledge
Karl
Greenberg:
Even
with
attacks
using
technology
such
as
keyloggers
to
steal
keystrokes,
is
security
fundamentally
a
social
engineering
problem,
not
a
technical
one,
in
most
cases?
Steve
Won:
Well,
let
me
say
this:
A
lot
of
security
policies
can
learn
a
lot
from
public
health.
And
what
is
the
most
effective
thing
to
do
in
the
context
of
public
health?
Good
hygiene
and
washing
hands,
not
some
esoteric
healthcare
regiment.
It’s
the
basics.
In
security,
if
you
think
about
the
origins
of
virus
scares
in
the
early
days
of
Windows
95,
the
assumption
was
that
attacks
were
highly
sophisticated;
but
in
reality,
it’s
usually
just
stolen
credentials.
People
are
guessing
passwords,
and
theft
is
easier
if
people
are
reusing
passwords
across
a
corpus
of
services,
for
example.
That’s
actually
the
most
common
vector
of
attack.
Karl
Greenberg:
Ideally,
the
password
manager
raises
the
floor
of
security
without
having
to
rely
solely
on
behavioral
changes,
right?
Steve
Won:
My
career
has
sort
of
been
predicated
on
how
we
raise
the
floor
of
security
practices.
The
password
manager
is
about
getting
those
basics
right:
allowing
machines
to
generate
your
passwords
so
they
are
guaranteed
to
be
unique;
you
as
a
user
having
zero
knowledge
of
those
passwords
and
making
sure
that
you’re
securing
all
those
credentials
at
the
same
time
in
a
way
that’s
available
across
the
devices
you’re
using.
That
means
you’re
not
having
to
manually
type
those
passwords
or
commit
them
to
memory,
which
reduces
the
threat
vector
significantly.
“Not
easy”
is
not
a
solution
for
credentials
Karl
Greenberg:
On
social
engineering,
what
prevents
adoption
of
security
measures
by
individuals,
who
are,
by
and
large,
still
not
terribly
good
at
protecting
themselves?
Steve
Won:
Security
is
only
going
to
be
adopted
if
it’s
meaningfully
easier
than
what
came
before
it.
My
favorite
example
is
touch
ID
for
phones.
Before
touch
ID,
there
were
PINs
(personal
identification
numbers),
but
fewer
than
a
third
used
them.
That
changed
to
85%
once
biometrics
became
available.
Karl
Greenberg:
It
would
be
nice
to
make
security
easier
for
most
people,
but
more
than
one
person
has
suggested
that
with
evolving
threats,
passwords
will
have
to
keep
getting
longer.
Steve
Won:
I’m
not
sure
I
agree.
The
data
has
shown
there’s
no
tremendous
benefit
in
requiring
people
to
change
passwords
all
the
time.
It’s
to
the
point
where
I
believe
even
NIST
(National
Institute
of
Standards
and
Technology)
is
evolving
its
recommendation
on
that
front.
SEE:
Improper
use
of
password
managers
leaves
people
vulnerable
to
identity
theft
(TechRepublic)
Karl
Greenberg:
But,
in
essence,
as
threat
actors
find
faster
ways
to
cycle
passwords
for
brute
force
attacks,
aren’t
long,
confusing
passwords
pretty
mandatory?
Steve
Won:
First,
password
managers
are
the
best
way
to
manage
passwords:
the
system
generates
it,
and
having
that
on
all
devices
means
it’s
broadly
accessible.
Second,
this
isn’t
a
zero
sum
game.
The
end
game
is
not
to
make
passwords
harder
and
harder
to
use,
it’s
to
eliminate
them
altogether.
Outright.
Not-so-long
game:
eliminating
passwords
completely
Karl
Greenberg:
What
are
some
credential
options
to
passwords,
and
when
will
that
happen?
Steve
Won:
The
concept
of
shared
secrets
goes
back
to
Roman
Centurions
with
challenge
tokens,
allowing
them
to
prove
they
were
Roman
soldiers.
To
a
certain
extent,
as
we
move
to
a
web-first
world,
this
idea
of
a
shared
secret
is
actually
becoming
outdated.
I’ve
spent
my
career
working
with
the
FIDO
Alliance.
Initially,
the
focus
was
USB
security
keys,
then
web
authentication,
and
now
passkeys,
a
unique
token,
based
on
principles
of
public-key
cryptography.
A
key
match
with
public
keys
allows
you
to
authenticate.
Karl
Greenberg:
From
a
user
experience
standpoint,
how
does
this
simplify
verification?
Steve
Won:
This
is
how
biometrics
worked,
and
therefore
how
we
were
able
to
get
folks
to
adopt
using
screen
lock
on
their
devices.
That
credential
is
not
transportable,
so
it
eliminates
the
phishing
vector
–
you
cannot
steal
that
token
and
use
it;
I
can’t
steal
your
tokens
and
pretend
to
be
you.
That
allows
us
to
eliminate
the
most
convenient
way
for
attackers
to
go
after
you.
A
key
period
for
passkeys
Karl
Greenberg:
What
is
the
timeline
that
you
perceive
for
moving
to
passkeys
and
away
from
passwords?
Steve
Won:
We
have
been
slowly
building
toward
this
no-password
future
and
I
think
we
are
in
a
key
18-month
window
right
now.
Apple
recently
announced
and
implemented
passkey
support
with
Ventura
and
iOS
16
and
Safari
16.
Google
very
soon
in
its
next
[version
of]
Android
will
support
passkeys.
Microsoft
is
in
the
process
of
making
passkeys
available
across
Edge
and
Windows
ecosystems,
as
well
as
platforms
adopting
it.
Karl
Greenberg:
How
have
you
been
addressing
these
movements
by
the
software
giants?
Steve
Won:
Well,
it’s
the
reason
we
made
an
acquisition
last
fall
(Figure
B)
of
a
company
called
Passage
(a
developer-first
passwordless
authentication
company),
whose
goal
is
to
make
it
easier
for
people
to
implement
passwordless
credentials
within
their
schemas.
The
challenge
of
using
credentials
across
different
OS
ecosystems
will
continue
to
exist;
how
do
I
make
sure
it’s
bound
to
my
identity
beyond
just
the
devices
that
I
use?
Figure
B
Passage.
Passage’s
November
3,
2022
announcement
1Password
deal.
Karl
Greenberg:
Right,
and
if
that
doesn’t
happen,
people
won’t
use
it,
which
I’d
say
is
true
from
personal
experience.
What
is
the
challenge
from
the
user
side
to
wide
adoption
of
passkeys?
Steve
Won:
I’m
worried
about
the
user
experience
being
uneven
for
passkeys.
Imagine
an
experience
where
someone
is
an
adopter
of
passkey
–
a
Mac
user,
say
–
and
they
go
to
a
Windows
gaming
PC,
and
Microsoft
doesn’t
support
it.
That
would
be
an
awful
experience,
so
that’s
where
we
have
a
key
part
to
play
in
helping
people
navigate
that
transition.
Also,
ironically,
the
fact
that
passkeys
create
less
friction
than
passwords,
or
MFA
may
be
itself
a
problem
–
FIDO
has
done
research
showing
that
because
it’s
easier,
people
don’t
think
it’s
secure.
Karl
Greenberg:
Could
there
be
risks
to
the
first
mover
in
this
space?
Steve
Won:
First
impressions
are
everything
in
security.
Two
years
before
the
iPhone,
there
was
the
Matrix
phone
with
a
fingerprint
sensor,
and
not
a
good
one.
Within
a
week,
someone
hacked
it
with
a
printout
of
a
fingerprint.
Imagine
if
the
iPhone
had
had
the
same
problem
–
how
much
irreparable
damage
would
that
have
done
to
trust
in
biometrics?
So,
no,
we
can’t
have
that
with
passkeys.
A
developer-first
roadmap
to
credentials
revolution
Karl
Greenberg:
So
the
long
game
is
elimination
of
passwords
entirely.
How
long
would
that
take?
Is
that
a
near-term
possibility
Steve
Won:
That’s
the
goal,
but
realistically
I
think
it’s
going
to
be
a
journey
that
takes
two
decades.
I’d
love
to
see
email
passwords
go
away
in
five
years,
but
that’s
more
than
half
the
email
users
on
the
globe.
Imagine
that
vector
of
attack
disappearing,
and
how
much
easier
it’s
going
to
make
life.
SEE:
New
cybersecurity
data
reveals
persistent
social
engineering
vulnerabilities
(TechRepublic)
Karl
Greenberg:
What
is
your
plan
for
the
year
to
evolve
the
credentials
space?
Steve
Won:
We
have
a
pretty
ambitious
road
map.
Late
last
year
with
the
Passage
acquisition
we
announced
an
open
service
called
Passkeys.Directory,
which
is
a
catalog
of
sites
that
are
early
adopters
of
passkeys,
like
PayPal
for
example.
Last
week,
we
announced
we
will
enable
passkeys
and
biometrics
to
unlock
accounts
instead
of
passwords,
eliminating
the
risk
of
your
vault
credential
being
stolen.
We
are
also
excited
to
get
developers
involved,
so
we
will
open-source
Rust
Crate
for
passkeys.
And
at
the
RSA
conference
in
April,
we
will
be
announcing
the
Passage
authentication
service
to
allow
folks
to
outsource
the
problem
of
authentication
of
passkeys
to
us.
We
need
the
entire
ecosystem
to
migrate
to
passkeys.
We
welcome
the
broader
corpus
of
the
internet
shift
to
passkeys.
Read
next:
8
best
enterprise
password
managers
of
2022
(TechRepublic)
About Author
