Toronto-based company 1Password has raised $620 million at a huge $6.8 billion valuation, meaning the company is now one of Canada’s most valuable technology businesses.
Although password managers like 1Password have been around for a while, the increased risk of cyberattacks and hacking – as well as the volume of data about ourselves we now store on the internet – means it’s never been more important to use your account.
Password managers have gone from being an optional extra, to an essential tool for internet users.
What are Password Managers, and who uses 1Password?
Password managers are a handy way to ensure that you’re following the security protocols you need to in order to protect yourself from hackers and cybercriminals.
For instance, they allow you to create strong, complex, and unique passwords for every site you visit – and you’re not relied upon to remember them. All you have to remember is a master password for 1Password or any other password manager of your choosing.
1Password was initially targeted towards consumers, but it’s used by over 100,000 companies, with Slack and IBM among its customer base. Since 2020, 1Password went from having 177 employees to around 570 today, and that number is going to double this year, according to CEO Jeff Shiner.
“Humans were not built for security…we make it simple for people to stay safe online” – Jeff Shiner, 1Password CEO.
1Password uses AES-256 encryption – the best in the business – but that’s just the tip of the security iceberg.
Why using a Password Manager like 1Password is the Best Option
Aside from the straightforward reason stated above – that you can use long, unique passwords for all your accounts – password managers are one of the most secure ways to store your account information because they instate a selection of other security measures working in tandem to keep your passwords secure.
1Password does exactly this. Highlights include the fact that it can warn you when a website has been hacked – without ever sharing a list of websites you’ve visited – and will only autofill your password on sites you’ve previously visited, which is a great defence against phishing.
It also deploys a Secure Remote Password (SRP) protocol. Most websites you visit will ping your password to their servers when you type it in. 1Password’s SRP protocol means you can log into sites without actually sending your password to any other servers.
1Password has security provisions designed to make it almost impossible to orchestrate a brute force attack and steal your password.
There’s also a Secret Key, which is stored on your devices. That means that if someone stole your device, they’d have your secret key, but not your password. And if someone obtained your 1Password account password, however unlikely, they wouldn’t have your Secret Key.
1Password’s web page explaining its security model lists “biometric access” as a security feature. “[biometric access] makes accessing your information more convenient” the page reads, “and also means that someone can’t learn your account password by peering over your shoulder”.
Notice how 1Password doesn’t make the claim that biometric access doesn’t make your account more secure beyond stopping someone looking over your shoulder seeing your password.
This implicitly references a misconception about biometric access; that it makes your account more secure and is an “extra layer” of security that can be compared – or even considered superior – to a password.
Biometric Authenticators are not ‘Alternatives’ to Passwords
The use of biometric data to secure accounts is often touted as the highest form of security you can place on an account.
However, in most contemporary cases, biometric authentication processes in the devices we use today don’t actually “replace” passwords. They simply provide a shortcut.
Take a fingerprint scanner on your iPhone, for instance. You aren’t directly unlocking your phone with your fingerprint; the biometric authenticator in the phone is essentially asking itself a true-false question (e.g. “Is this the same fingerprint I have on my database?”).
If the answer is “true”, then the biometric authenticator finds the user’s password and then authenticates the user based on the password. In this way, biometric authenticators as we know them today just save you the time you’d spend typing your password in.
Biometric Authentication is by no Means a Golden Ticket
The use of fingerprints and facial recognition – especially in products like iPhones and Macs – is often thought of as superior personal and business security. But this is not necessarily the case.
“If anybody ever got a copy of your fingerprint or your face, you can’t change that,” explains Jon Curtius, CEO of Tiger Global, one of the companies investing millions of dollars into 1Password.
That’s one problem with solely relying on biometric authentication. You can’t change a fingerprint or a face – so if that data is stored by a government or organization like an airport, and their security systems are either infiltrated or left unprotected – like one security company in the UK did in 2019 – then who knows what hackers might be able to do with it.
Well, actually, we do know what they can do with it – because they’ve been showing us for the past few years. There are various other ways biometric authentication can be bypassed.
One example is “Masterprints” – master key-inspired fingerprints that combine all the common elements of fingerprints into one ‘Masterprint” made headlines in 2017. In 2019, on the other hand, Forbes reported that one was able to unlock a phone by modifying a fingerprint from a wine glass.
Facial recognition isn’t fool proof either. McAfee researchers successfully hacked facial recognition software in 2020 and effectively convinced it that someone who wasn’t there actually was.
Other Security Measures aren’t that “Secure”
There are other security measures that are becoming increasingly popular but actually don’t provide you with that much more security. A good example of this is two-factor authentication – another provision that is often seen as a way to make your account hyper-secure but actually isn’t actually all it’s cracked up to be.
Granted, it provides an extra layer of security – anyone trying to unlock your account now needs extra information but it’s not as infallible as is often made out. Two-factor authentication that is secure via entering your phone number and receiving codes by text messages, for instance, is vulnerable to sim-swapping scams.
It is also theoretically possible to brute force a two-factor authentication screen if it doesn’t enforce lockouts after a predetermined number of attempts have been tried. There are also ways to steal someone’s session cookies too, which would tell a browser/website that 2FA has already been authenticated.
Its definitely more secure than not having 2FA, and you should always enable it where you can, but never underestimate a hackers will to infiltrate security systems.
The Moral of the Story: More is More
The key takeaway is that, when you’re choosing how to secure your accounts, an intricate web of lots of different security provisions working together collectively is the optimal way to ensure your personal accounts and data are kept safe.
Biomteric Access and 2FA are still useful, just not as the last – or only – line of defence.
1Password is a paradigm example of this; by instating such a wide variety of different security protocols, relying on both security keys and passwords as well as multi-factor authentication, you’re putting so many obstacles in the way of any prospective hacker trying to obtain your information.
Password managers are one of the few bits of cyber security tech that bundle all of these things into one program – so if you’re serious about keeping your data safe, get a password manager today.
