Cristian Garcia

Digital Business Strategy

where data and creativity collide

Product Management Series: 1Password

I have decided to invest time analysing products I can ́t live without. I think it is a great exercise to understand trends, solutions and execution of products that are changing the way we work.

This series will be analysing exclusively products I use several times per day.

The first post, will be dedicated to 1Password, my go-to product for online security.

This “first season” will also analyse:

Why am I doing this? Because I love product management and solutions that really address pain-points we were (perhaps) not aware of.

1Password


Dave Teare and Roustem Karimov started playing with the idea of a solution to the growing problem of storing many passwords across many services back in 2005. What was originally a 3 month project became the cash cow for Agile Bits, the mother company behind 1Password. Today, 1Password works across platforms (Mac, iOS, Windows, Android, Chrome, Opera, Edge, Firefox, and Safari) and is leading one of the most interesting industries, all the way from Canada.

What is it and how does it work?

1Password is a password manager developed by AgileBits Inc. It provides a place for users to store various passwords, software licenses, and other sensitive information in a virtual vault that is locked with a PBKDF2-guarded master password.

  • Works across platforms: with an intuitive and clean interface, 1Password works on smartwatches, laptops, tablets and phones alike

  • Strong capabilities and features: From a watch tower feature that analyses weak or reused passwords to a smooth integration to Apple spotlight or an included OTP option that comes in handy many times.

  • Different solutions depending on the user: For users, businesses and families

1Password security starts with AES-256 bit encryption and uses multiple techniques to protect your data at rest and in transit. It has one Master password which is your key to all of your documents, a secure remote password that verifies the authenticity of the remote server before sending your information over TLS/SSL and a secret key, which authenticate you with our servers and also plays a direct role in encrypting your data.

1Password is built on open source software:

  • Elastic: a search company that builds self-managed and SaaS offerings for search, logging, security, and analytics use cases

  • React: React is a JavaScript library for building user interfaces.

  • Datadog: Datadog is a monitoring service for cloud-scale applications, providing monitoring of servers, databases, tools, and services, through a SaaS-based data analytics platform

  • nVisium: nVisium focuses on integrating security into the software development process

  • AWS: Amazon's cloud solution

  • Pagerduty: PagerDuty is a cloud computing company that produces a SaaS incident response platform for IT departments.

  • Typescrypt: TypeScript provides highly productive development tools for JavaScript IDEs and practices, like static checking.

  • Webcrypto: The secret sauce behind the password generator, WebCrypto provides direct access to the system’s secure random number generator, making truly secure cryptography possible in the browser for the first time.

  • OKTA: It provides cloud software that helps companies manage and secure user authentication into modern applications, and for developers to build identity controls into applications, website web services and into devices

  • CloudNative: Cloud-native technologies are used to develop applications built with services packaged in containers, deployed as microservices and managed on elastic infrastructure through agile DevOps processes and continuous delivery workflows.

You can read more on 1Password philosophy in this amazing post by Jeffrey Goldberg, Chief Defender Against the Dark Arts at 1Password

1Password MacOS

1Password MacOS

The market

Back in 2016, this market was worth almost $417 MM and what was mostly a personal user software industry, started to spread out to small and medium size companies, opening a new and lucrative revenue stream. Self-service password management emerged as the largest service segment in 2016, and the market only keeps growing and amongst different users, mobile was one of the most lucrative to be.

With increasing compliance, regulatory, and risk management environment, companies needed a solution that was fairly even fairly new amongst individuals.

Password managers help companies managing, synchronising and monitoring passwords across their workforce, storing them in an encrypted environment and adding another layer to protect against data leaks/thefts. At the same time, users like me use Password managers to sync all of our accounts with encrypted long passwords generated and stored automatically by the solution of our choice.

As more people get online and all time users mature, our lives become digitised on services like Google and Amazon and we all know the hazards we can go through if one of our passwords gets in the wrong hands [this particular story stayed with me for weeks after reading it]. Not only that, almost 3 years ago, almost $3B passwords and online credentials were stolen; the consequences to those things could amount to $6T next year

This is why industries of all sorts are jumping into the password management software: BFSI, healthcare or public services are “early adopters” that pay extra attention to their data transactions and access security.

Product

1Pasword is one of the strongest players in the password management industry. It works in a very smooth way across platforms [browser, app, mobile, tablet] and currently has solutions to individuals and business.

Individuals: This is the one option I'm paying attention to, the one I use daily and the one that made me fall in love with this specific product.

I use the paid option [individual annual plan $35.88] and I have 1Password installed as an app on my Macbook air, my iPhone XR, iMac and as an add-on  in Safari and Chrome.

As of now, my configuration is pretty straightforward:

  • 8 vaults

  • No reused passwords

  • Most of my passwords have 2FA 

  • I stored here only passwords and membership cards, such as a Starbucks membership card and 12 different tags.


Businesses: somehow, a new turf for 1Password and I think the challenge here it has been to prove 1Password is more than a “pretty face”. This is why the team has been putting a lot of effort to build credibility within their buying tower (ex head of security, IT department etc) and successfully, ever since it launched has earned praise for its always expanding set of features and solid security features.

What is the JTBD?

Why do you need a password manager at all? Dave Rothschild lists a few ideas I agree with

  • I have 50+ sites/apps to access with username and passwords.

  • I can’t keep unique ones in my head for all of these.

  • I can easily keep 3 to 5 unique passwords in my head so that is safer since nothing is written down. I’ll use these at all the sites and apps.

  • My 3 to 5 are unique. No one could guess them [a justification that goes against the data]

  • From time to time I’ll change a password at a site say from password 3 to password 4. That should keep me safe for now.

  • Most of these don’t have much of my personal data so if I’m hacked, there is a good chance they will not get something valuable.

  • I’ll use my “hard” password at important money sites (Amazon, Apple, PayPal, Bank, credit card, etc).

  • The odds of a hacker picking me out of the huge numbers of people are low.

Then, the JTBD is to find a solution that will sort out my “visiting websites and apps that require personalised, authenticated access” challenge

Platforms

As I’ve mentioned previously, 1Password works in Mac, iOS, Windows, Android, Chrome, Opera, Edge, Firefox, and Safari.

I will be analysing their Mac, iOS, Chrome and Safari ones.

The latest version for the product is 1Pasword 7.

Overall, the product has some amazing features such as Watchtower (a system that monitor password health and threads) and some things I do not like, such as needing the master password and secret key when I log in from a different computer (SO much power to only one password)


Mac

[Download here]

What I love 

  • UX. Simple and intuitive to use. Once you get on board, you feel end to end ownership of your passwords

  • Notification for “to expire”, “compromised” and “vulnerable” passwords as phone or laptop notifications

  • 1Password mini: Because of this, I barely open the actual app.

  • “Pin to screen”, generate password or “open and fill” are amazing options

  • The detailed and comprehensive options I get each time I create a password: from tags to notes, linking documents and adding files [like a scanned card]

  • Spotlight integration

Chrome

[Download here]

What I love 

  • When I go to a specific page where my password is required, the add-on knows where I am and therefore suggests the username and password for that specific page

  • Cut down to 2 Chrome Store extensions: X could be the one instead of 1Password extension and the beta for the risk takers

  • Drag and drop + creating custom passwords and logins

  • The default keyboard command for opening the app on a specific page 

Ideas

  • Type my query and get an answer within the extension, I don't want to leave the add-on

iOS

[Download here]

What I love 

Ideas

  • Face ID and accessibility overall: from favourites to tags and categories.

Alternatives

Since the industry is in a growth stage, there are many strong companies out there offering similar solutions. I have to be upfront and let you know I have not use none of them since my infatuation with 1Password started on day 1, but I will give it a go.

  • Lastpass: Created in 2008, is one of the strongest players. The company did an IPO and is currently listed on the Nasdaq stock exchange [NASDAQ:LOGM]. The US company has a similar suite of solutions, but one of the big differences is related to the way to log in: 1Password uses a master password whereas Lastpass has a 2FA login which should increase security. After reading a few reviews online, I’ve seen a trend to choose Lastpass over 1Password on the UX department.

  • Dashlane: The US company was founded in 2012 and ever since, has climbed the password manager ladder to gain recognition, earn solid funding and many awards [Google Play best apps and/or Apple Editor’s choice]. Dashlane has gain traction mostly because of the ease of use it provides. Couple of things I liked about them? Darkweb monitoring and VPN included for safe navigation online.

  • Okta: I really like Okta since is the chosen product for the company I work with. It creates a “workforce identity” with a SSO (single sing-on) that is REALLY useful. Okta is a leader in the Forrester Identity-As-A-Service (IDaaS) quadrant.

Revenue and size 3 main companies

Main competitors

Life cycle

From what I’ve seen and after 10 years (on average) the industry is in growth phase, the players are consolidating and there’s still not market saturation, specially now when companies are moving full throttle into the B2B sandbox.

There’s also seems to be a lot of scope into new technologies to include more layers of technologies such as biometrics or actual keys. How long will it take to move into being mature / cash cow? At least 5 years

Future

It is always difficult to predict what will happen but solutions like “face id” or bio-metrics add a completely different interaction to store sensitive information. Also, companies like Google or Yubico are coming up with actual blue tooth keys to have access to your online accounts.

The place where growth should come from looks like B2B (specially SME´s)

A few things that perhaps will come into play for 1Password or the industry overall could be what we now call Zero login which is based on things like behavioural characteristics: Barclays, my bank in the UK, has called me a couple of times when I withdraw money twice in a day. I never do that and the action triggered an immediate response from my bank to confirm I was the person getting the money.

This patterns and the Internet of Things will allow to track all of our movements and anticipate behaviours. A zero login future does not seem far and I look forward to see how it will actually happen.

Also, the Fast Identity Online (FIDO) Alliance, for example, is creating standards designed to supplant the need for passwords

Conclusions


Even though many articles have been published on "killing passwords as we know them", reality is a bit far from that.

1Password is one of the best solutions for individuals on the market now. It sure needs work when scaling to SME's and other features such as importing passwords stored somewhere else, but from its clean UX, features and robust protection, is by far one of the best solutions if you want to start protecting your identity online.

Part of the challenges for 1Password will be on how they will integrate with a growing IoT ecosystem, will they partner up with companies like Yubiko or will they come skip all together key authentication? Will they start implementing zero-password policies based on behaviour, will they add a VPN to add yet another layer of security?
As of now, they are leading -revenue wise- the B2C industry, but once they fully enter the big leagues, they will face monsters such as OKTA or Norton Security.

It will sure be interesting how the product evolves its interface as we add more and more hardware to our lives, from a tv to a game console or a medical device, 1Password will have to make a call on how to jump in into this new arena.

Interesting times ahead.

Cristian Garcia (cc) by-nc-sa | Made in 🇬🇧 |  2005 - 2019