1Password: The Bootstrapped Cybersecurity Success

Welcome to the 9th Network Effects Newsletter,

If you're new here, this newsletter is all about unpacking the vision, strategy, and execution behind the world’s leading tech companies.

Today, we’re exploring 1Password, which was founded in 2006 by Dave Teare (CEO until 2012), Roustem Karimov (CTO), Natalia Karimov (COO), with Jeff Shiner (CEO), who joined in 2012

Let’s dive in.

📝 Overview 

1Password is an enterprise-grade security platform that helps individuals and businesses securely manage and share credentials, secrets, and sensitive data. Founded as a password manager for consumers, which helps simplify logging into websites, entering credit card information, and completing registration forms, has evolved to an enterprise security platform for password management, device trust and software access management.

In 2022, 1Password raised $620 million in Series C funding, the largest venture financing in Canadian history, bringing the company's valuation to $6.8 billion. At that time, 1Password had surpassed $250 million in ARR, with B2B sales accounting for two-thirds of 1Password’s total revenue. 1Password sells identity security and access management software to over 165,000 businesses and millions of consumers. Its clients include Canva, Wealthsimple, IBM, Intercom, Salesforce, etc. 

📌 Thesis 1 - Category Leadership with ACV Expansion Potential  

1Password’s growth inflection point was in 2016 with its decision to move towards enterprise to tackle a substantially larger and stickier customer base, and as of January 2022, Enterprise has represented two-thirds of 1Password’s ARR and the company continued to invest in enterprise sales and products including the launch of Device Trust and Spend Managmenet Solutions. 

Leading identity management platform Okta, which is currently valued at $15B, reports they have ~20,000 enterprise customers in 2024, with a net retention of 107% and an implied ACV $130,000 per customer. On the flip side, as of 2023, 1Password has 100,000 enterprise customers, generating $250M ARR, representing an implied average ACV of $2,500. A 50x delta in average contract value between Okta and 1Password underscores the potential for expansion. If 1Password can successfully launch adjacent products (like Secrets Automation or Spend Management) and verticalize its sales motion, it could dramatically grow ACV without chasing net-new logos.

📌 Thesis 2 – Capital Growth Engine That Accelerates Penetration

It took 1Password 14 years to get from 20 to 170 employees before it raised its first venture capital round in 2019. Since then, the company has scaled from 170 to 1200 employees in 2024 and grown its valuation from $1B to $6.8B. 

1Password’s capital infusion catalyzed a shift from a utility tool to a full-stack identity platform. The company’s ability to scale both headcount and ambition post-2019 has unlocked new growth levers, including:

1. GTM expansions: building out a hunter-farmer model to enhance the distribution and expansion of product offerings, across regions and verticals

2. Strategy Acquisition: acquiring cybersecurity platforms such as Passage, Trelica, and Secret Hub to expand its enterprise bundle offerings

3. Investments in Building an Executive team: attracting and hiring world-class talents such as Julian Teixeira (CRO), David Faugo (Co-CEO), etc

Most importantly, it enables 1Password to win the 'first integration' advantage in identity management. In a category where replacement is expensive and risky, being the default partner in a customer’s security architecture becomes a defensible moat.

🌱 Genesis Story

​In 2005, Dave Teare and Roustem Karimov, who were developers at IBM Canada and Sony, started a web development consultancy to help small businesses build websites. While working with clients, they found it difficult to manage multiple logins for testing and development. 

Frustrated, they gave themselves 90 days to build a better solution. That internal tool became the first version of 1Password. They listed it online while continuing their consultancy work. It quickly gained traction among other developers and began generating more revenue than their client projects. Recognizing the opportunity, Teare and Karimov decided to shut down the consultancy and focus entirely on developing what would become 1Password.

At the same time, Apple’s OS X and iPod were rapidly gaining popularity. The founders, who were already part of the OS X and Cocoa developer community, saw an opportunity to launch their product on the Mac platform. On May 19, 2006, they released the first version of 1Password on MacUpdate and VersionTracker.

As the company grew to 20 employees, Teare and Karimov realized they needed experienced leadership to continue scaling. Teare gave a Çingleton talk on why he believed 1Password couldn’t continue to grow without someone acting in this capacity. He approached Jeff Shiner, a close friend from IBM with extensive experience in business software, who joined as CEO in 2012. 

The team grew the company without venture capital, it was profitable since day one and did not raise capital until 2019, when it raised a $200 million Series A round led by Accel. This was the company’s first outside investment after 14 years of organic growth and profitability.

🖥️ Products & Services 

For consumers, the password manager is 1Password’s core offering that stores and auto-fills login credentials across devices and browsers, protected by end-to-end encryption and a zero-knowledge architecture.  

For businesses, 1Password has evolved into a broader Extended Access Management (XAM) platform, composed of Enterprise Password Manager, Device Trust, and Trelica (SaaS Management Platform). 1Password Extended Access Management secures access to sensitive business resources by giving companies the ability to manage 

• Shadow AI, unsanctioned and unmanaged apps (shadow IT) not secured behind single sign-on (SSO)

• Unmanaged devices that are unprotected by MD 

• AI agents with access to multiple systems and the ability to autonomously perform tasks

Password Management 

1Password offers a password manager product to individuals, families and enterprises to manage their credentials to software solutions, documents, and credit card information with a browser extension and desktop/mobile application. 

Master Password

When setting up 1Password, you’ll create a single Master Password, and a Secret Key will be generated for you. Together, these items will be used to encrypt and keep your data safe. The Secret Key is needed along with your master password the first time you log in from a new device. This key consists of 34 letters and numbers, separated by dashes.

The master password is not stored anywhere on 1Password's servers or databases. Instead, it is a passphrase to encrypt the user's password vault locally on their device. To access the password vault and view or use stored passwords, the user must enter their master password

Password Sharing - Vault

1Password securely stores and organizes passwords in a vault. The vault is only accessible through a master password or biometric authentication. 1Password’s password manager creates strong, unique passwords for each online account and has a browser plug-in to fill in login credentials on websites and applications automatically.

For family and enterprise plans, users can create multiple vaults for password sharing and monitoring. For example, sharing a set of streaming passwords from Netflix and Disney+ with friends, or sharing software credentials within your product team. This allows for seamless password sharing with clear visibility of what you have shared. 

Security Watchtower 

Watchtower is a dashboard that provides a 360-degree view of their security, including detection of data breaches, security incidents, and checking if any of the users' stored passwords have been compromised in these breaches by comparing them to a database of leaked credentials. 

Security Watchtower also scans the user's passwords for potential weaknesses and identifies passwords that are commonly used, easily guessable, or have known security vulnerabilities. Its duplicate password detection feature alerts users if they have multiple accounts with the same password.

Passkeys

Passkeys are the simpler successor to passwords. They’re a form of passwordless authentication that lets you sign in to accounts without memorizing or typing anything in. Behind the scenes, passkeys rely on public-key cryptography. That means every passkey consists of two parts: a private key and a public key. When you create a 1Password account with a passkey, the private key is never shared with 1Password. The public key is kept on our servers and used to verify your login attempts. It is useless without your corresponding private key. So if an attacker somehow broke into our servers, they wouldn’t find everything required to sign in to your 1Password account.

Other Featuers

There are also other key features with password management, including 

• Password Generator: Password Generator is a cryptographically secure tool that automatically generates unique, complex, high-entropy passwords

• Login Autofill: When users create or update a login on a website or application, they can save their username and password directly to their 1Password vault. Later, when they revisit that site or app, 1Password automatically detects the stored credentials and prompts them to autofill their login details.

• Travel Mode: Travel Mode temporarily removes sensitive vaults from your devices except those marked as “safe for travel”. For example, before your trip, you can mark only your "Personal Vault" as Safe for Travel—this vault includes your passport and flight details. Then you turn on Travel Mode. If your device is inspected, only that vault is visible, while others like “Engineering” or “Finance” are hidden until Travel Mode is turned off.

Access Governance (Trelica)

Access Governance is a SaaS solution for discovering application usage and managing access to both managed and unmanaged applications. With over 300 integrations with leading SaaS vendors, its key features include Shadow IT discovery, spend optimization, contract renewals, and access management workflows that automate onboarding, offboarding, provisioning, and privilege escalation.

Trelica solves critical challenges that traditional solutions like SSO, MDM, and SSPM don’t address, including user provisioning and de-provisioning, reclaiming unused licenses, monitoring permission drift, and adjusting access during role changes. By focusing on IT administrators' most time-consuming tasks, Trelica ensures a secure environment while streamlining operations.

Device Trust 

1Password Device Trust is a cross-platform endpoint security solution that ensures only known and secure devices can access your organization’s sensitive applications and data. Built to support modern Zero Trust architectures, Device Trust continuously verifies device identity and posture

With real-time device health checks, Device Trust automatically enforces compliance across laptops, desktops, and mobile devices, whether managed or Bring-Your-Own Device (BYOD). Whether an app is behind SSO or not, Device Trust acts as your front line of defence by blocking untrusted devices at the point of access.

1Password Device Trust offers two flexible deployment options to match your organization’s security needs: (1) Device Trust Core, (2) Device Trust Connect

Device Trust Core is designed to secure access to web applications by enforcing device posture checks directly through the 1Password browser extension. This lightweight approach ensures that only devices meeting your organization’s security policies—such as up-to-date operating systems, disk encryption, or firewall status—can authenticate, without requiring additional infrastructure or SSO integration.

Device Trust Connect extends these capabilities by integrating with leading identity providers (IdPs). This advanced deployment enforces device verification before users can even sign in to SSO-protected applications, blocking authentication attempts from unknown or non-compliant devices at the identity layer.

🏢 Markets 

Stolen & Compromised Credentials 

As digital infrastructure scales, so too does organizational exposure to cybersecurity risk. In 2015, the average company used 8 SaaS applications, it has grown to 2024. This explosion in software adoption has dramatically expanded the attack surface, making identity and access management a critical layer of defence.

According to a 2024 Cost Of A Data Breach report, stolen or compromised credentials was the most prevalent attack vectors, with an average cost of $4.81 million per incident. Moreover, it takes an average of 291 days to remediate the incidents and consequences

In the US alone, identity theft and stolen login credentials cost Americans over $12.5 billion. However, only 36% of the population currently use these security tools, of those, over 60% of them are relying on password managers that come with their devices and browsers (Chrome from Google and Apple). 

The global identity and access management (IAM) market size was valued $9.53 bn in 2018 and is projected to reach $24.76 bn by the end of 2026, exhibiting a CAGR of 13.2% during the forecast period.

⚔️ Competitions

Password Management Solutions (Proton, Bitwarden, LastPass) 

1Password competes directly with other password management systems with a similar business model serving both businesses and consumers, in addition to complimentary password managers such as Google Password Manager and Apple iCloud Keychain. 1Password positions itself as the 3rd largest independent password manager behind LastPass and Bitwarden at 5%. 

1Password would have to continue to compete for market share by providing a greater user experience, security, pricing, distribution and platform support. However, most of 1Password’s effort and focus have shifted towards enterprise customers, as they represent a far larger market compared to consumers, from a TAM and LTV perspective. For example, 1Password charges a license fee of $66/user for enterprise customers and $36/user for consumers. 

Enterprise Identity Management Platforms (Okta, Zluri, Microsoft, Ping Identity) 

The enterprise identity management (EIM) market focuses on broad identity governance and access management. As 1Password broadens its product offerings to device and software management, it competes with IT security platforms with larger enterprises with sophisticated IT management needs. As these platforms are mature and offer a suite of IT security products beyond 1Password’s XAM offerings, 1Password would have to adapt 

Horizontal Platforms (Brex, Ramp, Deel, Rippling) 

The greater penetration of horizontal platforms like Brex/Ramp (financial secrets) and Deel/Rippling (HR/IT access) has also rolled out a “solo” password vault experience as value shifts towards tools that can facilitate the “multi-player” experience of being able to share and collaborate over secrets as a team. 

1Password's challenge lies in demonstrating its value as a unified solution capable of securely managing a diverse range of secrets across various teams and workflows, preventing the balkanization of sensitive information and maintaining its relevance in an increasingly specialized market. To thrive, 1Password must not only outmaneuver direct password management rivals but also strategically navigate the gravitational pull of EIM and the centrifugal forces of niche horizontal players, emphasizing its comprehensive security and collaborative capabilities.

⚙️ Business Model

1Password operates on a SaaS business model. There is no free version of 1Password, and after a 14-day free trial, all users must subscribe monthly or yearly to continue accessing the password management service.

The company offers five subscription packages: Teams Starter Pack ($19.95/month), Business ($7.99/month/seat), Enterprise (customized) and Individual ($2.99/month), and Family ($4.99/month). Each plan provides users with features such as unlimited password creation, autosaving and auto-filling, two-factor authentication, and 24/7 email support, with varying levels of functionality and pricing.

💰Valuations & Fundraising

1Password has raised over $920 million across 3 funding rounds, with notable investments from Accel and ICONIQ Capital. The company's latest Series C round in January 2022 raised $620M led by ICONIQ Capital with participation from Lightspeed, Accel, Salesforce Venture, Tiger Global Management and angels including Ryan Reynolds, Robert Downey Jr, Matthew McConaughey, Rita Wilson, Justin Timberlake, Chris Evans, etc. 

The lead investors for the previous round include Accel (Series A + Series B)

♟️ Key Opportunities

B2B International Expansion

Today, the majority of 1Password’s enterprise traction remains concentrated in North America, yet global demand for secure identity and secrets management is only accelerating. With over $1.0T in IT spend across APAC and $500B in EMEA, the international enterprise market represents a multi-billion-dollar whitespace.

1Password is in a prime position to capitalize. With a healthy balance sheet and strong brand affinity in security-conscious markets, the company can now deploy capital to build a mature global go-to-market (GTM) motion, targeting mid-market and enterprise IT buyers across regions.

The logical go-to-market strategy follows the "hunter-farmer" analogy. Initially, the focus should be on "hunting" in key markets with white-space. This focuses on logo acquisitions and ARR. Once geographic expansion is established, the company can develop a "farmer" model with dedicated account managers to nurture existing customers, focusing on net dollar retentions and churn.

Inorganic Growth Engine (M&A)

Acquisitions present a significant opportunity for 1Password to drive its growth goals. The company can strategically acquire other businesses or technologies to expand its capabilities and offerings. For instance, in January 2025, 1Password acquired Trelica, to expand its service offerings to cover SaaS management for IT teams, in November 2022, 1Password acquired Passage, allowing it to build an end-to-end solution for passwordless authentication, in April 2021, 1Password's acquisition of SecretHub in 2021 allowed it to launch its 1Password Secrets Automation service. 

These inorganic growth initiatives allow 1Password to rapidly expand its service offerings, onboard high-quality talents, consolidate market share, then ultimately expand wallet share from IT teams. 

⚠️ Key Risks

Rise of Passwordless Authentication

The rise of passwordless authentication replaces passwords with biometrics, passkeys, social login, and one-time codes, These solutions offer a superior user experience and better conversion in high-friction environments like e-commerce. Companies like Transmit Security ($2.2B), Stytch ($1B), Magic (raised $31M), and Veridium (raised $16M) have risen to provide alternative passwordless login solutions to consumers and enterprises. If passwordless becomes the norm across enterprise workflows, 1Password would need to adapt and develop Passkey and biometric solutions to keep up. 

Commoditization of Password Management Offerings

With the increasing awareness around cybersecurity and the growing need for secure password management, the industry has seen significant competition and the entry of new players. The emergence of new players and existing competitors enhancing their offerings could lead to commoditization patterns with security offerings, where prices continue to fall. 1Password would need to create differentiation in its product offerings to maintain and create pricing power over its security solutions beyond password management 

Subscribe to Receive Future Deep Dives

Thanks for reading till the end of the issue. Subscribe to follow the next deep dive on RoseRocket, the transportation management software platform for trucking and logistic companies.

Resources 

• David Scheuetz’s Deep Dive on 1Password

• 20VC: Episode with Julian Teixeira, Chief Revenue Officer at 1Password

• Strategy of Security: 1Password