Business is booming for 1Password. The company just announced it has raised $620 million, at a valuation of $6.8 billion, from a roster of A-list celebrities and well-known venture capitalists.
But what does a password manager need with $620 million? Jeff Shiner, 1Password’s CEO, has some plans. He’s building the team fast — 1Password has tripled in size in the last two years, up to 500 employees, and plans to double again this year — while also expanding the vision of what a password manager can do. 1Password has long been a consumer-first product, but the biggest opportunity lies in bringing the company’s knowhow, its user experience, and its security chops into the business world. 1Password already has more than 100,000 business customers, and it plans to expand fast.
More broadly, Shiner said he wants to help companies and users alike rethink how security works. There’s really no other choice: Thanks to an increase in remote work, the overwhelming consumerization of business software, and a litany of new security problems around the industry, the days of “just log in to the VPN” are dying and not coming back. In its place, Shiner said he hopes 1Password can help usher in a better, and more secure, system.
Shiner joined the Source Code podcast to talk about 1Password’s new cash flow, its stance on everything from crypto wallets to Sign In With Google buttons, and how a password manager could take an increasingly central role in our online lives.
You can hear our full conversation on the latest episode of the Source Code podcast, or by clicking on the player above. Below are excerpts from our conversation, edited for length and clarity.
Subscribe to the show: Apple Podcasts | Spotify | Overcast | Pocket Casts
When I think of 1Password, it's … a password manager. And when 1Password started, that’s all it was. But my sense is the vision is much bigger than that now. How do you talk about it now?
I talk about it in terms of human-centric security. We're here to ease the tension between security and convenience, something that has just always been a challenge. Humans just aren't good at security. And so if we look at it from a business point of view, most of the security software is actually at the infrastructure layer. It's important, it does a good job, and it stays at the infrastructure layer. But then if you think of it in terms of, where do most data breaches originate? At the person. And so with 1Password, partially because of our consumer origins but even to this day, we're there to protect the person.
I like to say, “protect your business by securing the people who work there.”
Do you think people intellectually understand that that's the truth? That most of these things are not big, sophisticated, network-level hacks, most of it is like, “I got your password from a phishing scam or grabbing it from some big data breach because you use the same password for everything.” Like, I know that intellectually, but I don't know that I've internalized that that's actually how security works on the internet.
Very few people outside of the security world really think about it that way. They think that they're these big, huge hacks — and some of them are, nationstates or things like that, that come in and do this. But by far and away, most of the breaches happen from just password reuse.
We like to say people aren't hacking, they're just logging in. They're just logging in to somebody else's account with their credentials, right? Again, human beings were not meant to be good at security. It's just true. We're going to use fluffycat for our password, because it's convenient. And we can remember fluffycat. And then we'll use fluffycat1 and 2, and fluffycat3. And one of those accounts that we've got there, maybe it’s our cat-picture-sharing site, that may get hacked. And we don't really mind in the grand scheme of things. But if you're using the same credentials on accounts that do matter, that's where people are going to try credential-stuffing attacks or things like that.
And I think what we see in the news is we see a lot of the breaches, or we see a lot of the attacks, and we sit there and think of them as these deep technical intrusions. But the reality is they've gone onto the web, they've grabbed a million people's username and password, and they're just trying them. And some of them will work.
As you've gotten into things like virtual credit cards and the partnership with Fastmail to hide people’s emails, there's a version of 1Password that I can imagine thinking of itself as my identity layer to the internet, where I just put all my information in it, and then trust 1Password to dole it out in the right way. Is that too big a vision? Is that the wrong vision?
No, I don't think it's too big. But there's two sides to that vision. There's one side that says, anything that I want to keep available, yet private or secure, I want to put in 1Password. That’s credit cards, it's driver's licenses, it's passports, it's all of that information. And so I want to have it available. But at the same time, I want to keep it private.
Then there's the other side of identity, which is storing that information, but instead of sharing that information, actually having the thing that holds and stores it just validate that it's you. That's a bigger picture side, and it'll be interesting to see where the technology goes. We're trying to understand where we play, and what role we play.
Down that road lies things like crypto wallets and Web3 logins. Is that stuff on your radar right now?
Very much so. Again, trying to understand specifically our role: where we want to play, where we don't want to play. But it's all part of the same game, right? How do people maintain the privacy of the data that they have, and yet still be able to prove to the system or service that it is in fact them?
I talk to all these people who have been working on the internet since the early days, and they’re all like, “Yeah, if I could go back, the thing we got wrong was that there wasn't a central store of information and identity that you used to give to services.” And even if we're backing into that in some different kind of way, that just seems like a better way for the internet to exist. And whether it's in 1Password or elsewhere, that does feel like where we're headed.
I think the challenge will be, is it in one place? Or does it truly belong to the consumer? So if you think of it from one place, one service, one system that holds it all and then authenticates, that itself has some challenges, right? There's an awful lot of power there. If you look at it, and you say, as an individual, “I want to be able to truly maintain my own identity, and yet still prove to others that it’s in fact, me,” that's got to be the aim. The aim has got to be to leave the power in the hands of the individuals, but in a way that still allows them to identify themselves correctly.
In the last couple of years, ransomware attacks have become big news and nation-state cybersecurity is more covered than ever. And on the other hand, you have remote work, and everybody's thinking new stuff about security. Does it feel like the world is kind of starting to speak your language?
Yeah, for certain. What we are seeing are, I would call it three trends in particular over the last couple years that have really made the challenges around security tougher.
One is the one that you mentioned: work and home combining, or a hybrid workforce. Many years ago, people put things on-prem, and then it was behind firewalls, and then they would issue a device and you would use that device. Now, I'm sitting at home, and not only am I going to sit there and interchangeably use home devices and work devices, but in the middle of the day, I'm interchangeably doing home and work activities. That opens up a number of challenges, because if you can control everything, you can sit there and understand who's using what, but I'm not going to allow people to sit there and put things on my personal phone that’s tracking everything I’m doing.
Another security challenge has been — interestingly enough, it's not a security challenge inherently, but it introduces one — all of the cloud apps that have come about in particular the last couple years. In this new normal that we're seeing ourselves in, people are just gonna try this tool to make themselves productive. They don't know if it's going to work, they don't if it's not, but they're just gonna give it a try. And all of a sudden, from a business point of view, there's now company data sitting somewhere with someone, and it's completely outside of the view of the company.
We did some research, and one of the horrifying statistics that came back was 70% of developers still have access to systems at their previous company. It's a huge, huge number. And it’s not like they're trying, it's just, they sign up for all these different tools, and the companies just don't have visibility into that.
The third trend is an interesting one, and it's something that I'll be honest, I hadn't thought about until we did a little bit of research a few months ago: the stress and burnout. I think everybody's feeling stressed just from the last couple of years, and not being able to go out and just not really understanding what's happening all the time. Add to that any normal amount of work activity, now, you're going to be feeling overwhelmed. And what do people do when they feel overwhelmed? They take the easy route, and the easy route’s not usually the secure one. That's why you're using fluffycat for everything, or maybe not changing your passwords as you should.
When we talk about human-centric security, those are problems that people have. Those are problems that you need to solve by making it easy for a person to stay secure, as opposed to just throwing layers of infrastructure at it.
We're getting to this point where you can sign in with your crypto wallet, or you can sign in with Google, or you can sign with biometrics or any number of ways. That seems like it ought to threaten a password manager sort of existentially — that should be terrifying to you, you should be fighting for more passwords, not fewer passwords! But I don't get the sense that that's what's going on. What is your sense of how all of that is changing as we move away from typing numbers and letters into a text box?
I look at it twofold. One, signing in to things continues to get a little more complex. I was looking at the Epic Games sign-on page, and they have — it’s got to be at least eight choices. So I wonder how many people have like, seven different accounts for getting to what they did last time? So one of our purposes is to take a person and say, how can I quickly and securely get them to the task they're trying to accomplish? Nobody wakes up and says, “How do I authenticate?”
If we look at it today, this account might be with a username and password, this account might be through Google, this account might be through your corporate SSO, this account may be through WebAuthn, and that's getting more complicated for people, especially for people who aren't interested in the in the security side of things, they're just trying to take get the work done.
So we can make it simpler by just saying, hey, go to 1Password, choose the app you're trying to use, and we'll make it so you can quickly log in. Underneath the covers, we may have different flows, we may be pointing at different mechanisms and different services for authentication, but from an end-user point of view, two things can happen. One, it's easy for them, they can just get in. Two, it can actually help you adopt some of those neat technologies. Because from a human point of view, you don't have to change your workflow. It's go to 1Password, pick whatever tool you're trying to use, and start using it.
There’s something in our future vision pages we're calling Universal Sign-on. Maybe it was still badly named, because it's got the word “sign-on” in there. But from a human point of view, it's just, what am I trying to do right now? You're not trying to sign on, you're trying to use an app or a service. And so how can we get you to that task as quickly as we can?
So 1Password existed for, I think, 16 years, and 14 of them before ever raising any money. Walk me back in history a little bit: What was the thinking behind taking this bootstrapped company that's doing well and diving into the VC world headfirst?
It did feel like a dive! So yeah, we've been around for 16 years. The first 10 of those years was as a consumer app, and it was about 2014 to 2015, that I said, “OK, we're gonna go and create a business solution.” And so we created 1Password for Business. And then fast-forward three years from there, now we're in the middle of 2019 with tens of thousands of business users. But so much of us, as a company, was immature. We had a very small and comparatively immature sales team, we had no marketing, we had really no finance team, no HR, no talent team, none of that.
So we looked at it and we said, “OK, we're doing well, but there's a real opportunity we're missing. And if we want to grow into a great, long-lasting company, there's a number of these things we need to do.” And the reality is, I didn't know how to do that all on my own. I didn't know how to attract world-class talent into parts of the org that we didn't have before and things like that. So, we were looking for a partner, we were looking for somebody who could help and guide us.
Now, don't get me wrong, it was clearly an investment from Accel’s point of view — it was $200 million! But it did a few things: It gained us credibility because we're such a private company that nobody had a clue whether we were making money, losing money, had five customers or a million customers. And so going out with the series A at the time really did help. It helped us as well in terms of of giving us a bit of what Arun [Mathew] called “courage capital,” and I love that term.
So, from the beginning of 2020 to now, that's what I've called internally “growing and growing up.” It's going from 177 people to the 570 we've got now, and Jeannie is our CFO, and Julian is our go-to-market leader, and Pedro came in as our CTO, and he was the head of security and privacy at Facebook prior to that. So it was a number of really talented, world-class folks to lead the different parts of the org. And so now we're in that position to take the next big step forward into the vision and mission of human-centric security, which is really why we introduced the new partners, Iconiq and Tiger, and brought in quite a bit more courage capital.
$620 million is quite a bit of courage capital.
So we should be fairly courageous.
I look at it as three main things that I want to do with that, at the highest level. One is, continuing to invest in our team and double the size of our company, again, this year. Two is continuing to look at strategic acquisition. We made the acquisition last year with SecretHub for the secrets automation space. And then three, just have the courage capital to make the big bets that we need to enter new areas and really try and see how ambitiously we can hit those vision and mission goals.
Does it change the way that you think about the approach? Do you get bolder from here, because you're now a $6.8 billion company and people take you more seriously? Do you get more conservative, because now you have all this money? Is the clock ticking for an IPO?
I’ll answer the IPO part first: Our goal is to build a great company and get 1Password out to everyone, because everyone needs 1Password. And so there's many different paths for that. We really haven't picked one, and we really aren't going to worry about picking one.
In terms of, do we get bolder or do we get tamer? To me it is to get bolder. To me, it is to sit there and say, how can we continue to build partnerships with the other security infrastructure pieces? We integrate with the Active Directories today or the SSOs today, we integrate with some of the MFAs — how do we continue to deepen and strengthen those?
We want to work with the existing security infrastructure in an ever deeper way, but have 1Password live up to the human. So that's really where some of the courage capital, but also just the visibility, will make it easier for us to continue to work with and deepen some of those partnerships. So that we can provide a better broader solution for our business customers, as well as the consumers.