The Security Interviews: David Faugno, 1Password

Although companies may embrace emerging technologies to remain competitive, they can be risk averse, especially when it comes to changing their customer base. However, this shift in focus is what 1Password did when it moved from being consumer focused to providing enterprise grade security solutions.
In 2006, the company 1Password developed a password manager of the same name for the Windows, Android, iOS and Linux platforms. Since then, it has earned a reputation for being a secure method for protecting sensitive user information.
Software licenses and other sensitive information can also be securely stored in a virtual vault on their servers, which is locked with a password-based key derivation function (PBKDF2) guarded master password (a password storage algorithm that is designed for deterring brute force attacks by making them computationally expensive).
David Faugno had previously been enjoying a semi-retirement, working as a board member and adviser for various companies, including 1Password. As his interest in the company grew, he soon became increasingly impressed with its collaborative approach and transparency. He was invited to join the company as its president and chief operating officer in September 2023, before becoming co-CEO just over a year later.
Faugno had previously spent more than 10 years with security and storage provider Barracuda Networks as its chief finance officer. Faugno’s experience with Barracuda Networks gave him a broad understanding of the security landscape, as well as a unique perspective for solving security problems facing organisations of all sizes.
When Faugno joined 1Password, the world was emerging from the Covid-19 pandemic. Covid transformed the way companies operate by accelerating remote working technologies and encouraging people to work from home and, since then, hybrid working has become the norm in many sectors.
“The world was fundamentally changing. The way people worked and the tools that businesses had provided to their employees to stay safe and secure, and create a secure perimeter, no longer really existed,” says Faugno. “This got accelerated pretty dramatically during the pandemic, which is right at the point in the time when we first invested and got involved.”
As a consequence of the proliferation of remote working, the security perimeter for an organisation also expanded. Previously, the security perimeter had been at the endpoints of the corporate network, but now it has extended into homes of employees.
Most cyber security incidents are due to compromised credentials, such as stolen, weak or reused passwords. Consequently, employees who use weak identification systems at home may inadvertently expose corporate networks to attack.
It is therefore essential for maintaining security of a corporate network security that the cyber security of devices in the employees’ home is also protected. One method for achieving this is to provide each employee with a free family license for a cyber security package.
Balancing security and data privacy against accessibility and usability can be challenging as these aspects can often be at odds with each other. Faugno acknowledges that uncompromised security may cause friction with setup and account recovery, however, 1Password took a decision early in the product development cycle to focus on ensuring that the most secure way was also the easiest. This led to a rapid uptake of its password manager, which resulted in it being adopted into thousands of businesses.
Faugno soon noted that although 1Password was primarily a consumer-focused product at the time, it was becoming increasingly used in the enterprise sector.
“When the work environment started to change and people started to get access to resources that were not being necessarily centrally controlled through their SSO, or through the tools that the company had put behind the firewall, these security-centric folks in business thought, ‘Oh, I can use 1Password for this’,” says Faugno.
“We got pulled into thousands of business environments by these people. That’s when our awakening happened – the battlefield had moved from the building walls to where the end user was, wherever they were, with whatever tools they were using.”
One of the first things Faugno did when he joined 1Password was to hire a finance leader. By having a sales team engage with enterprise clients to understand their needs, such as administrative controls or additional reporting functionality, 1Password was able to develop its existing platform and market an enterprise service to the business community.
“When we first made the investment in 1Password in 2019, the company had zero salespeople and pretty much zero accountants,” says Faugno. “It was nothing but developers, building a great product, and support people. Those use cases would organically come, but what we weren’t doing is interfacing with the chief information security officers at large enterprises to share how our platform fits into their overall security architecture.”
1Password started building infrastructure around enterprise level support and billing capabilities, as well as sales and post-sales implementation capabilities, to allow it to engage with the business sector.
Any change to a company carries with it a certain level of risk and expense, especially when it involves adapting to a changing market. It has taken four years, but 1Password’s core business model has created solid foundation for the company to build on.
Despite the absence of salespeople and accountants, 1Password’s cash flow had remained profitable. This strong position allowed 1Password the opportunity for forward investment (investing in a company to improve a return on investment) without sacrificing profitability.
Although maintaining durability of growth is essential for financial sustainability, it can be challenging. Unless an organisation has a financially stable core product, significant resources can be spent promoting a product that causes a sudden growth curve, but the growth will stop as soon as the money is used up if it was not sustainable.
1Password had the opportunity to invest in itself while remaining profitable in the different sectors, ensuring a durable growth. Instead of optimising for profitability, 1Password is forward investing across several areas without the need to pay off debt from a private equity transaction.
“Over 75% of our sales are to companies, but so many people think of us as a consumer business, because either they know us personally or they’ve seen the legacy of us over the 20 years,” says Faugno.
The cyber security sector is a constantly evolving market, with an ongoing war of attrition between hackers and security teams: what is cutting edge now could be obsolete in six months’ time. Not only must security companies have a solid product, but they must also constantly update it in response to emerging threats.
Soon, one of the key challenges that cyber security teams will need robust solutions for is protecting their communications in a post-quantum world. Quantum computers can process vast amounts of information in a fraction of the time that classical computers would take, including today’s supercomputers. This will have massive implications for cyber security as quantum computers will be able quickly break current encryption systems.
There are various technologies already being developed that are described as quantum resistant, but testing of these is still ongoing. Rather than focusing on a specific technology, 1Password has teams researching emerging challenges. The future security challenge presented by quantum computing necessitate a multifaceted security strategy – 2FA/MFA, passkeys and federation (authentication across networked systems).
“We have teams that are engaged deeply in thinking about what’s not only the next step, but two steps ahead,” says Faugno. “The world is changing across a number of dimensions, and quantum computing represents one. Passkeys are going to help, but the pathway to password lists is a journey that’s going to take decades.
“Our view is that you have to start with the visibility of everything that exists and move everything on the continuum to password lists. Today, that is having strong and unique passwords and encrypted vaults, adding multi-factor authentication, using passkeys where they’re available, and ultimately moving to federation.”
Reputation is essential, especially in security. If a tool has proven itself to be viable and effective protection against attacks in the wild, then that will over carry into the business sector and naturally generate interest from organisations.
“If you can build that level of endearment to the end user at the individual level, then what you can do for the business user is very similar,” concludes Faugno. “You can satisfy the most robust and hard-to-crack use case for making someone feel like this tool is helping them be secure and productive.”




