1Password Chief Product Officer Steve Won says credentials theft is ubiquitous and getting worse. LastPass can vouch for that; in a dark irony, in December 2022 a threat actor stole the credentials of a LastPass DevOps engineer, granting them access to an unencrypted vault.
Won sees this trend continuing, noting that IBM’s 2022 report on the cost of data breaches pointed to compromised credentials as the leading attack vector. The report also found that stolen credentials accounted for 19% of breaches, costing organizations on average $4.5 million, or $150,000 more than the average cost per company of a data breach.
TechRepublic interviewed Won about credential vulnerabilities, encrypted keys, vaults, and where it’s all heading (this transcript has been edited for brevity).
The 1-2-3 rule to avoid credential theft
Karl Greenberg: How significant a threat is credential theft today?
Steve Won: Frankly, phishing for credentials is the easiest vector of attack. Especially in the past 12 to 18 months, replaying MFA (multi-factor authentication) attacks and OTP (one-time password) codes from banks has become easier and easier for attackers.
Karl Greenberg: How do password managers protect against this, or what happened to LastPass?
Steve Won: At 1Password, we have a zero-knowledge system, processing as much locally at the client as possible, not storing information in an unencrypted state anywhere. The client, locally on your device, is doing decryption. On top of that, we have a secret key model where, in addition to a password, or a biometric, you get a machine-generated unique code at the time of enrollment of which we have zero knowledge.
SEE: Unphishable mobile MFA through hardware keys (TechRepublic)
Karl Greenberg: So the key aspect of security is zero knowledge on the part of the password manager?
Steve Won: The combination of zero knowledge and making sure we are only seeing encrypted information on our side and a generated secret key creates defensive depth. If we are targeted, your information is secure. With the principal document we share with subscribers at enrollment, we recommend a 1-2-3 rule with backup: locally, cloud and [a] physical separate device, so the same for backing up a secret key.
Reducing threat through less memorization, zero knowledge
Karl Greenberg: Even with attacks using technology such as keyloggers to steal keystrokes, is security fundamentally a social engineering problem, not a technical one, in most cases?
Steve Won: Well, let me say this: A lot of security policies can learn a lot from public health. And what is the most effective thing to do in the context of public health? Good hygiene and washing hands, not some esoteric healthcare regiment. It’s the basics.
In security, if you think about the origins of virus scares in the early days of Windows 95, the assumption was that attacks were highly sophisticated; but in reality, it’s usually just stolen credentials. People are guessing passwords, and theft is easier if people are reusing passwords across a corpus of services, for example. That’s actually the most common vector of attack.
Karl Greenberg: Ideally, the password manager raises the floor of security without having to rely solely on behavioral changes, right?
Steve Won: My career has sort of been predicated on how we raise the floor of security practices. The password manager is about getting those basics right: allowing machines to generate your passwords so they are guaranteed to be unique; you as a user having zero knowledge of those passwords and making sure that you’re securing all those credentials at the same time in a way that’s available across the devices you’re using. That means you’re not having to manually type those passwords or commit them to memory, which reduces the threat vector significantly.
“Not easy” is not a solution for credentials
Karl Greenberg: On social engineering, what prevents adoption of security measures by individuals, who are, by and large, still not terribly good at protecting themselves?
Steve Won: Security is only going to be adopted if it’s meaningfully easier than what came before it. My favorite example is touch ID for phones. Before touch ID, there were PINs (personal identification numbers), but fewer than a third used them. That changed to 85% once biometrics became available.
Karl Greenberg: It would be nice to make security easier for most people, but more than one person has suggested that with evolving threats, passwords will have to keep getting longer.
Steve Won: I’m not sure I agree. The data has shown there’s no tremendous benefit in requiring people to change passwords all the time. It’s to the point where I believe even NIST (National Institute of Standards and Technology) is evolving its recommendation on that front.
SEE: Improper use of password managers leaves people vulnerable to identity theft (TechRepublic)
Karl Greenberg: But, in essence, as threat actors find faster ways to cycle passwords for brute force attacks, aren’t long, confusing passwords pretty mandatory?
Steve Won: First, password managers are the best way to manage passwords: the system generates it, and having that on all devices means it’s broadly accessible. Second, this isn’t a zero sum game. The end game is not to make passwords harder and harder to use, it’s to eliminate them altogether. Outright.
Not-so-long game: eliminating passwords completely
Karl Greenberg: What are some credential options to passwords, and when will that happen?
Steve Won: The concept of shared secrets goes back to Roman Centurions with challenge tokens, allowing them to prove they were Roman soldiers.
To a certain extent, as we move to a web-first world, this idea of a shared secret is actually becoming outdated. I’ve spent my career working with the FIDO Alliance. Initially, the focus was USB security keys, then web authentication, and now passkeys, a unique token, based on principles of public-key cryptography. A key match with public keys allows you to authenticate.
Karl Greenberg: From a user experience standpoint, how does this simplify verification?
Steve Won: This is how biometrics worked, and therefore how we were able to get folks to adopt using screen lock on their devices. That credential is not transportable, so it eliminates the phishing vector – you cannot steal that token and use it; I can’t steal your tokens and pretend to be you. That allows us to eliminate the most convenient way for attackers to go after you.
A key period for passkeys
Karl Greenberg: What is the timeline that you perceive for moving to passkeys and away from passwords?
Steve Won: We have been slowly building toward this no-password future and I think we are in a key 18-month window right now. Apple recently announced and implemented passkey support with Ventura and iOS 16 and Safari 16. Google very soon in its next [version of] Android will support passkeys. Microsoft is in the process of making passkeys available across Edge and Windows ecosystems, as well as platforms adopting it.
Karl Greenberg: How have you been addressing these movements by the software giants?
Steve Won: Well, it’s the reason we made an acquisition last fall (Figure B) of a company called Passage (a developer-first passwordless authentication company), whose goal is to make it easier for people to implement passwordless credentials within their schemas. The challenge of using credentials across different OS ecosystems will continue to exist; how do I make sure it’s bound to my identity beyond just the devices that I use?
Karl Greenberg: Right, and if that doesn’t happen, people won’t use it, which I’d say is true from personal experience. What is the challenge from the user side to wide adoption of passkeys?
Steve Won: I’m worried about the user experience being uneven for passkeys. Imagine an experience where someone is an adopter of passkey – a Mac user, say – and they go to a Windows gaming PC, and Microsoft doesn’t support it. That would be an awful experience, so that’s where we have a key part to play in helping people navigate that transition. Also, ironically, the fact that passkeys create less friction than passwords, or MFA may be itself a problem – FIDO has done research showing that because it’s easier, people don’t think it’s secure.
Karl Greenberg: Could there be risks to the first mover in this space?
Steve Won: First impressions are everything in security. Two years before the iPhone, there was the Matrix phone with a fingerprint sensor, and not a good one. Within a week, someone hacked it with a printout of a fingerprint. Imagine if the iPhone had had the same problem – how much irreparable damage would that have done to trust in biometrics? So, no, we can’t have that with passkeys.
A developer-first roadmap to credentials revolution
Karl Greenberg: So the long game is elimination of passwords entirely. How long would that take? Is that a near-term possibility
Steve Won: That’s the goal, but realistically I think it’s going to be a journey that takes two decades. I’d love to see email passwords go away in five years, but that’s more than half the email users on the globe. Imagine that vector of attack disappearing, and how much easier it’s going to make life.
SEE: New cybersecurity data reveals persistent social engineering vulnerabilities (TechRepublic)
Karl Greenberg: What is your plan for the year to evolve the credentials space?
Steve Won: We have a pretty ambitious road map. Late last year with the Passage acquisition we announced an open service called Passkeys.Directory, which is a catalog of sites that are early adopters of passkeys, like PayPal for example. Last week, we announced we will enable passkeys and biometrics to unlock accounts instead of passwords, eliminating the risk of your vault credential being stolen.
We are also excited to get developers involved, so we will open-source Rust Crate for passkeys, because we need the entire ecosystem to migrate there.
Read next: 8 best enterprise password managers of 2022 (TechRepublic)