Tell me if you've heard this story before: a little Canadian company builds a solid product that's profitable from day one, grows a large and passionate community of users, explodes onto the scene with large funding rounds, then dominates an industry.
That company is Shopify, now one of the foundational companies in e-commerce and valued at over $100 billion.
1Password feels like the cybersecurity version of Shopify. AgileBits, the parent company who owns the 1Password product, just announced a $620 million round of funding in January 2022, the largest funding round ever for a Canadian company (move over, Shopify). Note: For simplicity, we'll use 1Password in reference to both the product and the company.
Everything about 1Password is fascinating. With the news and buzz about their latest round of funding, now is a good time to go deep into their business and explain what all this ruckus is about.
I didn't realize how excited I was about 1Password until I started researching and writing this deep dive. I've been a paying customer and loyal user for many years, but I hadn't stopped to think about how much I love the product or how big their opportunity truly is.
1Password is a classic Blue Ocean Strategy case study. Even if you haven't read the book and aren't an MBA strategy nerd like me, the ideas from Blue Ocean Strategy are still a great way to understand a business like this.
Through the process of researching and writing this article, I see 1Password in a completely different way. I'm excited to share my new point of view with you. Buckle up, we're about to go deep into the story about 1Password's strategy and opportunity going forward.
The Long, Slow March to Passwordless Authentication
First, we have to talk about passwords and the hype around passwordless authentication. Passwords are bad, full stop. We're not here to contest that.
Packy McCormick did a nice takedown of passwords in his piece about Stytch. In the article, investor Gaurav Ahuja concisely summarizes the case against passwords:
First, the future should be passwordless. Actually, back up, first: passwords suck. And they suck in three ways:
They’re a terrible user experience.
They hurt user engagement, conversion, and revenue.
They’re a burden on IT support.
Completely accurate. Packy then captured how people really feel about passwords:
Passwords cause pain and agony, or even worse, a persistent, nagging, low-grade annoyance. F*** passwords.
These functional and emotional problems with passwords are the driver behind all the hype around passwordless and large investments made in companies building the technology to make it happen.
All the passwordless proponents (I'm one of them) are right — eventually passwords will go away. But not any time soon.
My rough, probabilistic estimate is a 70% probability that passwords will no longer be the dominant form of authentication before the end of our careers (around 2040 for me). That estimate isn't even saying passwords will be gone — just that another form of authentication will be used a majority of the time. The journey to passwordless is a decades-long transition.
Many people believe the transition is going to look like this, as if the new generation of passwordless authentication platforms will rapidly accelerate adoption:
In reality, it will look like this:
We want the transition to be faster. It's not going to happen. Password usage will gradually decline in a long, slow curve over decades.
Why? Passwords have a Lindy effect to them. Their staying power is proportional to their current age, even if we don't really want them around. Passwords are over sixty years old. They're still going to be around sixty years from now in some shape or form.
Inertia is the biggest competitor for every passwordless authentication company. Passwords have issues, but they mostly work, and people know how to use them.
Worse yet, there are too many applications in the world whose security model is built exclusively around passwords. This population includes legacy business applications that are duct taped together and ready to explode at any moment — that is to say, switching out a foundational service like passwords is not on the table.
Even new, innovative products who tried killing the password from the start in favor of magic links and social auth have since gone back and added the option to create a password. My unofficial mental scorecard has Medium, Slack, Notion, and Substack, to name a few.
Passwords are a deeply engrained habit that's hard for people to kick. When that habit gets in the way of user adoption, a passwordless-only approach becomes a lot less appealing. Even the latest and greatest apps have to cave.
Is there enough room in slow, downward decline of passwords to create large, successful passwordless authentication companies? You bet there is. But there's just as much room to create a hypergrowth company to manage the passwords that still exist during the transition. That's the opportunity 1Password has capitalized on.
Password Management is a Red Ocean
The story behind 1Password's successful blue ocean strategy starts with one of the big ideas from the book — that companies can achieve rapid growth in markets that appear to be unattractive and declining:
What makes this rapid growth all the more remarkable is that it was not achieved in an attractive industry but rather in a declining industry in which traditional strategic analysis pointed to limited potential for growth.
Segment the broader authentication industry way, way down and you end up with what looks like an unattractive micro-industry: password management. With all the talk about the decline of passwords, a seemingly niche industry like password management sure sounds like it's on the decline with limited potential for growth. This misconception about the password management market is the underpinning of 1Password's success.
Many great companies are created from seemingly unattractive industry segments known as "red oceans":
Although some blue oceans are created well beyond existing industry boundaries, most are created from within red oceans by expanding existing industry boundaries.
Password management is one such red ocean. This is where the "passwords are dead," "password management isn't that hard," "X cloud authentication company has won the market," and similar arguments take a sharp turn towards reality.
For consumers, anyone moderately tech-savvy knows the feeling of random requests from relatives to help reset a forgotten password (or similar types of issues). The best we can hope for is a nice dinner in exchange for our free tech support.
For businesses, passwords are a gnarly area of security and IT that most industry professionals don't want to touch. It's relegated to the job of the help desk, a Sisyphean task with no end in sight.
The dull pain and discomfort of password management is what drives our faith in passwordless authentication. Our magical thinking goes like this: all our problems with passwords go away with passwordless, so let's ignore the uncomfortable problems we have right now.
This is the exact opportunity 1Password has seized. Our password problems aren't going away. If anything, they're getting worse. A study by LastPass (one of 1Password's competitors) found this mind-blowing stat about the volume of passwords used by the average business user:
Many businesses use cloud authentication products like Okta to help ease the burden through single sign-on (SSO). Applications integrated with SSO all use the same enterprise password. This means fewer passwords for people to remember and less need for a password manager like 1Password.
SSO helps, but it's easier said than done. Even with pre-built integrations in a product like Okta, implementation still takes time. Compatibility is also mixed. Many applications, especially custom-built internal ones, don't support standards for easy integration. This means SSO puts a dent in the problem, but it's not the full solution yet.
Consumers are an entirely different world. People still have hundreds of accounts, but they don't have fancy, enterprise-grade SSO solutions to manage them. Platform companies like Facebook and Google popularized the concept of social login, allowing users to sign in to supported applications with credentials from the social login provider. Similar to enterprise SSO, social login helps but isn't supported by every application in the world.
To manage this problem, people typically use the same password (or a variant) for multiple applications and services. At best, this password is semi-complex and based on something familiar. Conceptually, reusing passwords looks like this — a single password used on multiple applications:
A lame joke periodically makes the rounds on InfoSec Twitter: "My email password has been hacked. That's the third time I've had to rename the cat." Lame, but true. And completely relevant here.
A weak password that's compromised on one application makes every other application which uses the same password vulnerable to compromise. This problem is the basis of credential stuffing attacks, which caused 61% of breaches in 2021.
For the average person, using strong passwords and storing them in a password manager is far more secure than using the same simple password across multiple applications. 1Password pulled the right strategy levers and created a product that made it dramatically easier to manage multiple complex passwords in an a way that's affordable to individual consumers.
They literally made it possible to "forget your password" and use a unique complex password for every application. It works like this — a password for the 1Password vault with unique passwords for everything:
This is entirely different from the conventional approach for managing passwords. If a password is compromised, the scope of the problem is limited to the one service the password is used for. Better yet, 1Password uses the Have I Been Pwned breach reporting service to alert users if a password has been exposed. The approach is so simple, yet so effective.
We're several hundred words in and barely scratching the surface of password management. We haven't even started talking about Multi-Factor Authentication (MFA), Privileged Access Management (PAM), or any of the other topics and challenges in the immediate vicinity of passwords. By now, you can see big the problem actually is.
1Password is an ingenious idea because they addressed the problem as it stands right now: passwords are a pain to manage, they're not going away soon, so let's manage them as well as possible.
They Said Password Management Wasn't That Hard
It's easy to explain what a password manager does: it's a secure place for you to put your passwords. Simple as that. But the "manage them as well as possible" part is a whole lot harder than it sounds.
Back in 2005, founders Dave Teare and Roustem Karimov wanted to build a tool to manage their own passwords. It's fair to say the founders themselves underestimated the complexity of building a password manager. What started out as a three-month project is still going 17 years later. The good news is the founders underestimated the upside of the product, too.
If you take a quick spin through Twitter around the time of 1Password's funding announcement, it's not hard to find people throwing shade at people's inability to remember their passwords, the simplicity of building a password manager, and why a company who builds one is worth such a high valuation. Critics range from random internet commenters to high-profile industry analysts.
I've heard similar variants of this password management argument for years while working in cybersecurity. We'll avoid calling out any specific examples, so you'll have to take my observation at face value or go look around for yourself. Praise specifically, criticize generally.
The root of people's misunderstanding is a logical fallacy — a human tendency to oversimplify and overlook important nuances and details that make something deceptively complex. That's absolutely the case with a password manager.
To help explain the nuances of building a password manager, here's an anecdote from a recent Twitter thread by 1Password's Mitchell Cohen. This thread is a beautiful destruction of an unwitting Twitter user who threw shade and got a lesson security engineering.
TL;DR — the thread talks about the intense security engineering behind loading the website icons for the accounts you store in 1Password. A process most people wouldn't even think about needs months of engineering to be both secure and performant.
An example like 1Password's icon rendering is a Zen and the Art of Motorcycle Maintenance moment. Building a world-class password manager is an act of craft and quality. You could do it with less of both — after all, how many people would even care or notice if their password manager rendered icons insecurely?
Ah, but people like Mitchell Cohen care. If 1Password is going to build a password manager, it's going to be the best damn password manager humans can possibly build.
In Zen and the Art of Motorcycle Maintenance, author Robert Pirsig describes the philosophy behind this kind of quality:
Care and Quality are internal and external aspects of the same thing. A person who sees Quality and feels it as he works is a person who cares. A person who cares about what he sees and does is a person who’s bound to have some characteristic of quality.
For you and me, that means using a quality product looks and feels different in a way we can't quite articulate. In Pirsig's words, "Even though quality cannot be defined, you know what quality is." Genuine quality is an intentional and strategic act.
The cornerstone of any blue ocean strategy is an idea the authors call "value innovation." Companies who successfully create blue oceans do so by systematically building their companies in a different way:
In this sense, value innovation is more than innovation. It is about strategy that embraces the entire system of a company's activities. Value innovation requires companies to orient the whole system toward achieving a leap in value for both buyers and themselves.
Visually, the idea of value innovation looks like this:
The concept is simple, but the implications are powerful. By pulling a few levers and turning a few knobs on what is typically viewed as valuable (or not valuable), the boundaries of entire industries can be redefined:
Value innovation is based on the view that market boundaries and industry structure are not given and can be reconstructed by the actions and beliefs of industry players.
Value innovation doesn't occur by luck — that's where the systematic part comes in. Blue ocean strategies find uncontested markets, avoid competition, capture new forms of demand, and redefine the relationship between value and cost.
1Password created a blue ocean by systematically building their entire strategy around a different set of value props than traditional, enterprise-focused identity and access management companies.
A strategy canvas is a tool used in Blue Ocean Strategy to visualize factors that play a role in value innovation. This is what the strategy canvas of the broader access management market looked like in the early 2000s:
The diagram has two lines called value curves — one for the traditional industry competitors, and another for the upstart company's Blue Ocean Strategy. The points in each curve are plotted against common factors that influence value and purchasing behaviors. The value curves can then be compared to show how the blue ocean strategy is differentiated.
The best way to demonstrate the strategy canvas for the early years of 1Password (roughly 2005-2015, before teams were launched) is to compare their consumer password management product against the enterprise access management products of the time. This market isn't a totally fair comparison, but it's a good way to illustrate how 1Password innovated.
1Password created a blue ocean through value innovation across several factors:
Enterprise Focus
Traditional enterprise access management products were focused on, well, enterprises. The problem of managing passwords across multiple applications was viewed as a business problem. The problem was especially acute in big companies, where users often require access to dozens of applications to do their job.
1Password initially focused on consumers. When the product was launched in 2005, it was only compatible with Mac OS X. There was no Windows app. At the time, it was basically unheard of to use a Mac at work. No Windows app meant most business users weren't able to use the product.
Price
Enterprise access management products were (and still are) expensive. Companies buy enterprise license or subscriptions to use the products across the entire organization. For a large enterprises, costs can easily reach millions of dollars.
Pricing may have been the single most important innovation in 1Password's blue ocean strategy. They changed the pricing model of the entire industry and made enterprise-grade security accessible to the average consumer.
Making the product affordable for consumers necessarily meant growing revenue based on volume. As other digital and physical consumer products have proven, it's possible to generate a lot of revenue at scale.
However, a consumer-focused approach is highly uncommon in security software. This approach was a critical component of 1Password's strategy. It allowed the company to grow rapidly while flying under the radar for more than a decade.
Top-Down Sales
Most enterprise software gets sold through top-down sales processes. Enterprise access management is no exception, particularly before Okta came along in 2009. The strategic implication of a top-down sales model is higher customer acquisition costs and longer sales cycles.
Because 1Password was a consumer-first product, it focused on bottom-up adoption. There was no sales team to speak of. They spent no money on advertising. All sales were made through self-service purchasing by consumers.
Bottom-up adoption was a necessary part of the strategy in order to keep pricing at a level affordable to individual consumers. As we'll see later, it was also a huge advantage as 1Password gained traction among business users.
Integrations
A core feature of enterprise access management products is integrations. That's how single sign-on happens. Products compete on the number of pre-built integrations they support. This reduces the time it takes to make an enterprise application compatible with the central enterprise access management solution.
The dilemma for companies who build enterprise access management products is the volume and variety of applications. It takes an enormous amount of effort to build and support pre-built application integrations. All of this effort drives is another factor that drives up costs.
1Password took an entirely different approach with their product. The early versions of the product integrated with nothing. It was purely a password vault focused on storing passwords and allowing users to quickly enter them when needed.
1Password isn't single sign-on because password managers don't reduce the number of passwords like an access management product would. However, it's a clever hack that essentially does the same job.
At an abstract level, the job to be done in the eyes of a user is logging into an application quickly. 1Password reduced the friction of accomplishing this job as much as possible by elegantly auto-filling the correct account information in login forms. More importantly, they avoided the treadmill of building and maintaining integrations — another strategic driver that keeps costs low.
Time to Value
Enterprise access management products can take a long time to implement and integrate, even with pre-built integrations. In large enterprises with thousands of applications, implementations take years. Incremental value is delivered with individual application integrations; however, full value isn't delivered until a critical mass is reached.
1Password delivers value quickly, albeit in a much different way. Because the customer is an individual consumer, they start seeing value when the first password is stored in 1Password's vault. Value increases over time as the user makes further micro-investments to add more passwords to the vault. Time to value is fast, especially when the cost of the product is significantly lower than enterprise solutions.
User Experience
"I love this enterprise SSO product" said nobody, ever. The user experience for enterprise access management product is neutral at best. UX trends towards negative if clunky MFA workflows are involved.
1Password makes the best of a difficult situation. We'd rather not have passwords, but since we have to, it's nice to use a product with the UX of 1Password. Browser plugins present the right password for the website you're visiting and capture new ones while you're creating new accounts. The list of conveniences goes on and on, which is why people rave about the product.
User Community
Most enterprise access management products have small communities, typically professional systems integrators who implement the product for a living. A sense of community exists, but it certainly isn't a focal point for most companies. This is partly a consequence of top-down sales models. When the buyer is a senior leader, community takes a back seat.
1Password has earned and cultivated a passionate user community since the very beginning. A 2011 Quora answer from a 1Password employee quantified their sense of community:
We have 61,786 registered members on our forums, and when you consider that only a handful of users, relatively speaking, sign up for forums, that's quite a lot.
The number has undoubtedly increased in the 10+ years since that figure was published. It gives you a sense of how important and engaged the user community truly is.
The impact of a well-designed strategy canvas can't be understated. Entire industries can be transformed and restructured, unlocking new customers and massive business opportunities. From Blue Ocean Strategy:
To fundamentally shift the strategy canvas of an industry, you must begin by reorienting your strategic focus from competitors to alternatives and from customers to noncustomers of the industry.
In the case of 1Password, their intentional choices across the factors discussed above brought consumers into the world of personal password managers — previously noncustomers of traditional products in the market.
Over 17 years into the story of 1Password, we're still closer to the beginning than the end. Next, we'll look at 1Password's adoption curve and the massive market opportunity in front of them.
All the Cool Kids Are Using 1Password
The opportunity for 1Password is to capture the rest of the adoption curve for password managers and beyond. The upside of a consumer-first product like 1Password is that everyone needs it. Like, literally everyone on the internet. That's 4.66 billion people as of today.
A TAM of almost five billion people is admittedly hyperbolic, but it's meant to illustrate a point. 1Password has around 15 million users today, according to their own statistics. That's 0.3 percent of total internet users.
All 4.66 billion people have passwords. Every single one of them. Using the internet without a password manager is in the realm of using the internet without a browser — not quite as essential, but close. It's just that fundamental of a service for today's internet user.
We'll let the venture capitalists estimate the exact addressable market (some of you subscribe to these articles, so please do!). Let's reasonably conclude it's big and move on to where we're at on the adoption curve for password managers.
An adoption curve for password managers looks something like this:
I am on the furthest end of the Enthusiasts segment when it comes to password managers, which is obvious now that we're several thousand words into a discussion on the topic.
I keep all of my passwords in 1Password and use the product dozens of times per day. Outside of a browser, it's the piece of software I use the most. The interactions are short and quick, but it's an engrained habit. I'm hooked.
And I'm not the only one. People log into applications at an astonishingly high frequency. From Lightspeed:
In 2021, an average business user logged into over 96 applications per day and entered login credentials, credit card details and contact information online every hour.
This is why 1Password is unstoppable. High frequency use (multiple times per day), genuine pain points, and significant user investment are a classic example of a hook.
There's also an ironic nuance in the adoption curve for passwordless authentication: I couldn't go completely passwordless today even if I wanted to.
Services that offer passwordless authentication are still in the vast minority. The void creates a bifurcation in my enthusiasm. I'm an enthusiast for both passwordless authentication and password managers.
With my enthusiasm for passwordless authentication dampered due to lack of availability, it creates enthusiasm for password managers. I'd rather not have passwords at all, but since I do, I want the best password manager available.
Enthusiasts like me are only 2.5% of the adoption curve. We're the fans who have been using 1Password for years and go around telling everyone about it. If we zoom back out and look at 1Password's 15 million customers in relation to the adoption curve, it's easy to see that we're only just starting to reach the Pragmatists. Realistically, we're not even through the Visionaries yet.
We're still on the upward slope of an adoption curve in an addressable market that potentially includes billions of people. As discussed in the previous section, 1Password has built proprietary technology and invested years in building it. The product's hook is reliable, which drives good retention. Growth so far has come from bottom-up adoption, which means low customer acquisition costs.
Their current situation ticks all the boxes for a potential hypergrowth company. That's why 1Password has the attention (and money) of the top investors in the world.
A handful of the Visionaries are investors in 1Password's latest round. People like Ryan Reynolds, Scarlett Johansson, Robert Downey Jr., Matthew McConaughey, Chris Evans, Rita Wilson, Ashton Kutcher, Trevor Noah, Justin Timberlake and Pharrell Williams define culture.
We typically think of culture as things like fashion and entertainment, but culture comes in all forms. With technology becoming a central part of pop culture, people like this list of celebrity investors can help push adoption further along the curve into the majority.
An interesting observation about this adoption curve: 1Password is probably the only piece of security software used by both your mom and some of the top security professionals in the world.
This observation demonstrates the power of a high quality, consumer-first security product. It's robust enough to meet the needs of power users and simple enough to meet the needs of regular internet users.
People like me are drawn to the product because it's both secure and elegant. I tell people further down the adoption curve (e.g. my mom) who have a completely different view of the problem — they just want to remember their darn passwords. Regardless of motivation, our problems get solved, and the cycle of growth continues.
...And So Are Businesses
1Password has been around long enough to precede the macro trend of the consumerization of IT. As a consumer-first company, it's a clear beneficiary of this trend — a textbook example, actually.
1Password could have been a nice business as a consumer-only product. There are plenty of consumers in the world, and 1Password was able to grow and scale its business with reasonable customer acquisition costs (CAC) and recurring subscription revenue.
Our password problems aren't confined to our personal lives, though. The same problems exist when we open up our business devices. Using 1Password at work is a logical progression.
At work, people used to use 1Password on the down low, falling into the nefarious "Shadow IT" bucket. It wasn't technically a supported enterprise application. Security awareness training has taught us enough to know that using an unsanctioned password manager to store our work password is taboo. Many people did it anyway and paid for 1Password out of pocket.
The story played out this way for over ten years. That's a surprisingly long time in today's fast paced hypergrowth mode of startup building. 1Password for teams was launched in 2015. The initial business product wasn't even built for company-wide use. Demand was too strong, and 30,000 businesses signed up in a three year span.
1Password Business was launched in 2018 with a wider set of business-focused features. This was 1Password's true entry into the enterprise. Features like SSO integration, automated provisioning, and reporting are business-only requirements. Adding them to a successful consumer product without degrading the experience for their core customer base required care and attention.
The upside to entering the enterprise market is high. A company-sanctioned 1Password license increases both the volume of users and revenue from subscription prices. It also encourages faster adoption if people can do it as a perk on their company's dime.
Equally as important, it unlocks a flywheel of growth on the consumer side. Every 1Password Business subscription comes with family plans — meaning the families of every employee can also use 1Password at home. This ingenious growth strategy is one more way of driving adoption further down the adoption curve into the masses of Pragmatists and Conservatives.
1Password's entry into the enterprise market was a significant and important milestone, but the ceiling is still much higher. Next, we'll take a look at what the future might look like for 1Password.
What's Possible for 1Password
1Password reached a $6.8 billion valuation and raised money from the top investors in the world in part because its metrics are stellar, and especially because the upside is even better.
In a recent CNBC interview, CEO Jeff Shiner disclosed a couple of the important metrics:
Revenues for 2021 are expected to come in at around $150 million, Shiner said, adding that businesses now account for about 60% of 1Password’s revenue.
Building on what we've discussed so far, there are a couple important takeaways from these numbers.
First, this implies the 1Password Business product is growing rapidly. Since the product wasn't officially launched until 2018, the growth is obvious given the company has a 60/40 business to consumer revenue mix just over four years later.
Additionally, the $150 million was generated almost exclusively from the core password manager product. Expansion and diversification of the product has been completely organic for most of the company's history. The solo exception was 1Password's acquisition of SecretHub in 2021. In relation to the revenue projection for 2021, it's unlikely the acquisition made a significant contribution to revenue during the year.
Both takeaways are important because they signal how much upside remains. There is significant room for growth left in the core password management product because we're still early on the adoption curve for both consumers and businesses. The latest round of capital also opens opportunities for more acquisitions to compliment the core product.
As Jeff Shiner wrote in the Series C funding announcement, the company's ambitions span far beyond the core password management product:
But we don’t just want to keep up; our goal is to push the envelope and explore beyond the boundaries of traditional password management.
The boundaries need to be pushed, and 1Password is the company to do it.
Zooming out to look at the product space, 1Password's big opportunity is to become the user experience layer on top of existing identity and access management tools. This is significant because of an earlier point in the enterprise access management strategy canvas: user experience in traditional products is bad, and 1Password makes it good.
Companies implement identity and access management tools for administrators, not for users. Any claims to business user experience are lip service — it's about managing risk for the company, not making the lives of employees easier.
This tension is at the core of 1Password's mission. As Jeff Shiner describes, it's about easing the tension between security and convenience:
Security is hard work, but at 1Password we see it as a human challenge rather than a technological one. Our mission has always been to ease the tension between security and convenience, and the opportunity to deliver on this has never been greater.
By adding 1Password — the user experience layer for security — into the mix, companies are making a sincere gesture towards convenience and improving the lives of business users. This is the human-centric future of security.
In a preview of what's to come, 1Password refers to the future experience as "Universal Sign On." For users, this is magical. Universal Sign On is essentially the grease between the old world of application-specific passwords and the new world of single sign-on. You don't need to worry about any of that anymore — just put your passwords in 1Password, and they'll remember how you need to sign in to the applications you're using.
The improvements in user experience aren't just a tradeoff. Security teams get meaningful benefits too, mainly in the form of aggregated statistics and insights across the company's base of 1Password users.
Insights into things like unused accounts, low security risk criteria, unauthorized applications, and employees involved in a data breach are valuable pieces of information when securing an enterprise. They're also extremely hard to get — most security teams only dream of having data like this.
By giving employees a password management tool they actually want to use, security teams get valuable information in return. Mutually beneficial value like this doesn't happen often in security. You have to appreciate it when you see it, and 1Password is one of those instances.
Ironically, the bold vision of 1Password is a work in progress. It's fair to say that the company is still building confidence and just beginning to assert itself despite consistent profitability, growth, and now three large rounds of funding.
In a recent Twitter Spaces conversation with 1Password's founders and CFO, the company's Series C round was referred to as "confidence capital." It struck me as an interesting way to describe a massive round of funding — presumably because the norm is for startup founders to be oozing with confidence even before their seed round.
When most tech companies raise hundreds of millions, the reaction is: "WE RAISED ALL THIS MONEY TO TAKE OVER THE WORLD." 1Password's feeling of "confidence capital" is the most endearing and most Canadian ever. I'd contrast their reaction to other tech companies like this (my words, not theirs): "Oh, we were just trying to make payroll, then a few nice people liked our product, and now it looks like the rest of the world might want to use it, eh?"
Consistent humility demonstrated for nearly two decades and counting is a perfect foundation for building an iconic company. I see a strong dose of "confidence capital" as the encouragement and validation 1Password needs to fully capture the blue ocean it created.
What Could Possibly Go Wrong?
Raising nearly a billion dollars in total to rapidly grow a company doesn't come without risk. Both the 1Password leadership team and its investors know that. Going big and scaling the company is a chance worth taking even though there are still obstacles to overcome.
Moving into the enterprise, 1Password is loosely competing with Privileged Access Management (PAM) products — the likes of CyberArk, BeyondTrust, and soon to be Okta. It's a competitive market, and 1Password will have to continue carving out its space — its blue ocean — among established enterprise companies.
Along with the disruption and adaptation of industry incumbents, expanding the focus of 1Password's products shifts the strategy canvas. The evolution of strategy has a meaningful impact on 1Password's blue ocean. The curves are starting to mirror and converge:
Enterprise access management products (including both cloud identity and privileged access, for simplicity) have become more affordable, increased bottom-up (developer led) adoption, and decreased time to value (Okta's claim to fame). They're still enterprise-focused, but the current generation of products has disrupted the monoliths.
Meanwhile, 1Password's shift towards the enterprise has split its focus between consumers and businesses. Prices for business customers are higher. A sales organization has been established to manage enterprise deals. Integrations have become more important and will drive much of the future product strategy. Time to value and user experience remain high priorities.
Building and maintaining a community at scale is a hard thing to do. As with most products and cultural movements, going further down the adoption curve into mass markets inevitably means losing the attention of some early adopters. The challenge is keeping the welcoming, community-oriented vibe while millions of additional users join the mix.
Bigger picture, it's a meaningful strategic advantage for 1Password to have both a profitable business and a stockpile of capital to deploy wisely. Even as they hit escape velocity, it's hard to imagine their fiscal discipline changing to a point where money is shot out of a cannon.
If the decline of passwords does hit an inflection point where their demise becomes imminent, 1Password is still in a good position (maybe other than their name). They have a long enough runway to get ahead of this shift, adapt their core product, and diversify into adjacent product domains.
For example, 1Password now has the financial means to acquire a smaller passwordless authentication company. The 1Password brand has established a level of trust where any company they acquire becomes exponentially more trusted and valuable. This idea of transitory trust has worked well for companies like CyberArk and their entry into the cloud access management market. The same effect will work for 1Password.
The downside of expanding a product portfolio is that acquisitions and new products competing in adjacent spaces don't always have the same success as the original core product. The history of tech is full of examples like this. Even the biggest and best tech companies in the world can't avoid it.
Accelerated growth means bets have to be taken. Calculated moves for building or buying complimentary products is the proven path to success. Avoid ruin at all costs, and it's always possible to overcome the variations in results that come with additional products.
In a way, raising venture capital funding to win the market seems like it was the only viable option. With the way money is flying around in cybersecurity right now, there was a chance an existing competitor or an entirely new company could have raised a ton of capital and quickly build a solid password manager. This kind of hypergrowth is difficult but possible in today's world.
Despite these challenges, building upon the blue ocean strategy it created is by far the best strategic decision for 1Password. Successfully executing a blue ocean strategy means getting the sequence of events right, even if the sequence takes time to develop. 1Password has done everything right so far. Now, it's time to capitalize on the position they're in.