1Password keeps your credentials secure through end-to-end encryption, zero-knowledge architecture, and more. Read their latest white paper on security design.
Connect with Nancy on LinkedIn or email her at nancy.wang@1password.com.
Congratulations to user Binita Bharati for winning a Populist badge for their answer to How to know the version of currently installed package from yarn.lock.
TRANSCRIPT
[Intro Music]
Ryan Donovan: Hello, and welcome to the Stack Overflow Podcast, a place to talk all things software and technology. I'm Ryan Donovan, your host, and today we are talking about security for local agents. My guest today is Nancy Wang, CTO at 1Password. Welcome to the show, Nancy.
Nancy Wang: Yeah. Thanks so much, Ryan, for having me.
Ryan Donovan: Of course. So, before we get into the topic, we like to get to know our guests a little bit. Can you tell us how you got into software and technology?
Nancy Wang: I am very lucky in that my father is an engineer. He is the, actually, very classic engineer, not this, ' write software, nothing's really real' engineer, but rather, grew up fixing cars in rural Northwestern Wisconsin. He is a metallurgist by training. And so, whenever he would take me to his workplace, things were real. We could hold pieces of metal. He showed me his mass spectrometer. We played with different machines. And so, for me, it was that early age of, wow, I really love understanding how things come together, how to take it apart, and also when stuff breaks. Yeah. So that really started my love of engineering, then went on to do engineering East Coast at the University of Pennsylvania, where it was really that kind of combination of, okay, how do you solve problems that benefit humans, but also how do you build businesses? And so, I've always been kinda a product-minded engineer by training, but certainly, that's led [me] to now exploring the next frontier when it comes to how do we assign agents and identity? How do we make sure that agents don't go rogue and start hunting humans? And all the above.
Ryan Donovan: That's right. The whole anti-terminator squad. I appreciate it.
Nancy Wang: Exactly.
Ryan Donovan: With local agents too, a kind of naive view, it might be like, 'oh, those are more secure.' There's no traffic coming in, it all exists on your computer, but I suspect that's not the case. What is the security risk profile for local agents?
Nancy Wang: Don't take my word for it. In fact, actually, Elon Musk today was reposting Jason Miller from the 1Password Team, who had written [an] actually pretty detailed blog about all the security risks with Claude Bot, now known as Mold Bot and Open Claw. And in fact, actually Ryan, before I had made this prediction that local agents are going to be the predominant way that folks run agents, at least for the next 12 to 18 months, and I said that before Claude Bot came out. Or really, right around the time. Obviously, that has snowballed into now you have a bunch of security researchers all doing threat analysis and security risk analysis on this open-source agent, including 1Password. And look, this is. Kind of real proof that local agents are not theoretical. It's out there now, you can't stop it. And I think in terms of unique security challenges that it brings, Claude Bot running on your, let's say, device—and this is why we say at 1Password, 'please don't run it on your work laptop.' In fact, actually, we now have ways to understand if you are, because it has access to the real execution context. So, when we think about files, repos, terminals, even browsers, and local tools to your dev environment, those are all now accessible by Claude bots. If you think about what it can do with this tremendous access of very sensitive information and tools, well, that blast radius is massive. And so, this is probably why we saw a run to the Apple store for Mac Minis, right? Because, hey, I don't feel comfortable running it on my personal laptop because I might have bank account information, sensitive documents in my file system, local disk, so on, so forth, let me actually go get a completely new minicomputer to actually run this.
Ryan Donovan: A lot of people have been talking about agent sandboxing, whether that's in a cloud environment or locally. And I've been talking to folks about, do you take your agent and mount it on a VM? How do you actually sandbox it?
Nancy Wang: I just feel like software repeats itself. And that's the cycle, which is: I remember when I first started out in industry—now I'm dating myself—about 15 years ago, I was one of the early builders at a company called Rubrik, which did VMware Backup Recovery. That was our first product. So, back then we're thinking about, oh, virtualization, right? This separation of compute memory and processes. So, now we're thinking about agents and how file systems, right? That's a big thing, as a storage nerd, is file systems now are at the forefront again, because agents work through a file system by accessing files. And also, this concept of separating, as I mentioned, memory, compute, and other processes through sandboxing. In fact, actually, I will point, and maybe we can share the link as well – one of our VPs of engineering, he heads up AI at 1Password, actually did a demo with a swarm of agents, and I think the use case they had done was DevOps. So, over 500 agents swarm. And just understanding what agent is doing what, and basically limiting the access of any one particular agent to a specific set of files and context, right? And so, I think that's gonna become certainly more prevalent as we're not just using one agent, but potentially a swarm of different agents. For example, how Cursor uses a swarm of agents to build a browser, in my opinion, [is] part of our everyday life in the next coming months.
Ryan Donovan: Are we just reinventing user access controls for agents? Is it gonna be like Active Directory for agents now?
Nancy Wang: Something like that. Although, I feel like with every reinvention you get a little different flavor, right? It's not vanilla ice cream, but vanilla honeysuckle. Clearly, I'm hungry, so I'm thinking about food. But that's how I would say software reinvents itself. Yes. In fact, actually, I was chatting with the head of agent security at one of the big model providers, and how they [are] thinking about agent security. And really, it boils down to two layers of the staff right now, which is the identity layer and the network layer. And certainly, in the identity layer, sure, we've had concepts around workload identity for a very long time, right? Spiffy, that was created by Google Engineers, Spire, and all of these different protocols to vend or issue agents an identity. But obviously, we're also thinking, is that something that still holds in the age of AI, where agents are ephemeral? They get spun up, spun down, right? You have many of them. And so, does the identity at the time of issuance actually match the identity at time of execution? Sometimes not, right? And so, this means there's tons of actually very interesting papers I've been reading lately about DIDs, or even verifiable digital credentials, which is something that we're very big about here at 1Password, about how can you actually verify the identity of an agent? Obviously, it's very straightforward if that agent, let's say, belongs to Ryan, and that agent is Ryan's calendaring agent. It's very obvious what access, what permissions, what ACLs, right? But let's bring back ACLs from the past that that agent should have access to. But what about in a world where you have a fleet of agents that are acting as SREs in that demo use case on behalf of your company, right? What happens? Where does chain of custody come in? Where does accountability come in?
Ryan Donovan: Yeah, and you talked about the agents being spun up, spun down – that probably means that this identity has to be stored somewhere, repeatable, reusable, redeployable. How do you do that safely? It almost seems like you need credentials to get the credentials at that point.
Nancy Wang: Absolutely, and this is something we're thinking a lot [about] in-house today, which is, hey, let's say, when you have your private key and your public key, yes, you can log into your vault and access your credentials. What if you also want your agents to be able to access your credentials? And also, you bring in this concept of intent, because is the agent actually acting in the way that you intended to, or is it just going rogue and doing all sorts of funky things with your credit card? For example, the concept of intent – the context around why agents will take certain actions, along with who spawned that agent or who is responsible for that agent. There's just so many more attributes and signals that go into what makes up an identity than there ever was in the past.
Ryan Donovan: Sounds like there's a lot more to security than a standard programmer, standard user. It's: to worry about the files, you have to worry about the tools that they're using, but now you [also] have to worry about it misusing, or hallucinating, or doing bad things with the tools and files that they have.
Nancy Wang: It's an arms race because if we think about a couple months ago, and there still is a whole slew of MCP gateway solutions, which is, alright, if we enforce one choke point for where calls are gonna come from, we can then monitor, observe, and govern those calls. And now you have skills. You can't determine when, and even if an agent will call a particular skill. So, in the case of, let's say, safe credential handling, which is what we're all about for humans, machines, and agents, how can you guarantee that the agent is gonna call that skill? And so, that's where a lot of our thinking is today, because you can't predict the output based on the input with agents.
Ryan Donovan: The wide number of skills that are being added to things, especially on the Open Claw, or Moltbook, or Claude, whatever it is at this point.
Nancy Wang: Yeah. We'll wait for the next name change in another week or so.
Ryan Donovan: There you go. It has a sort of open registry that people can add, and it's turned out that several of those skills are malware. How do you protect against that sort of attack?
Nancy Wang: Yeah, that's something that's top of mind, because again, it goes back to the intent of the agent, right? To the agent, it might just simply be calling a skill, and this is where, and again, Jason wrote about this, where it can easily be calling a skill that is linked to a malware package that you might not even know about. And so, this goes back to the use of agents, and production is gonna quickly outpace the guardrails and the controls that we have for today with existing security tools. There used to be this thinking that, hey, let's just control where we use agents, and maybe adoption will follow a paved path. Now, I think that especially with open-source projects like Open Clock, the doors have busted open, right? The floodgates have opened. People are using it in production. And so, how do you apply guard rails after the fact? And especially here, 1Password credentials are keys to the kingdom, right? And so, if you don't have a credential, and especially in the AI world, API keys, SSH keys, those are very critical credentials for a developer or their agent. And so, governing the access thereof becomes the choke point.
Ryan Donovan: How do you govern the access of a credential store when that credential store can be accessed by any given sort of program spun up like any disposable agent?
Nancy Wang: Yeah, so some of our thinking, and this will evolve as I'm sure you'll see in our product offerings, is because we are actually available on every local endpoint for our customers through our device trust that's installed on the local endpoint, we have signals that not many people have, which is: runtime signals, user behaviors, what sort of software they're running locally, what types of packages exist. So, with all of that telemetry, it just gives us much, much more, I would say, richer signals available to say, 'okay, is this access permitted? Or is this a malicious actor? Because its user behavior is way off the charts.' So, I would say that's a lot of signal. Plus, being on device, there's also passkeys, biometrics, and we acquired a company a couple years ago called Passage. We're using its infrastructure into our passkey management, for example. All of that is included in verifying the identity of the individual or the actor. And then, that will then lead to us being able to broker access. And notice how I'm making a big deal about brokering and not giving, and the reason for that is giving access in my [opinion] means long-lived, hey, I'm gonna just hand you the keys to the house. And the analogy that I like to use is instead of giving the master key to the house, the entire house with however many rooms, you give a badge that accesses one room for, let's say, five minutes, while you as a human are even in the loop and monitoring. And so, that's just orders of magnitude different in terms of security guarantees and frankly just overall trust, which as I've heard from CISOs that I speak with, trust is the biggest barrier to wider spread adoption of agents in the enterprise.
Ryan Donovan: That's brokering access. Is that sort of like proxying a call – throwing a token in an intermediary, and then just doing pass-throughs?
Nancy Wang: That's one method, certainly, yes. The reverse proxy that we're all quite familiar with. And then, whether it's OAuth, or upstream provider, or et cetera. And then, us being able to lease out the token for a very specific amount of time for what that agent is intending to do. That's certainly one method. Regardless of whatever method we end up using under the hood, our ethos is always simplicity. One of the reasons customers have really enjoyed using 1Password forever is that we're simple, easy to use, and most oftentimes it just works. So, that's the ethos that we wanna carry as well to our emerging agent security platform.
Ryan Donovan: Attackers try to get the credentials from the source, but if you have a credential sort, then you have a spectacular thing to steal. How do you provide the extra security on a credential store over just credentials?
Nancy Wang: We can certainly link our security white paper, but it's something that we're actually really proud of. In fact, I'll call it a crown jewel of 1Password, is our zero-knowledge architecture. So, through a combination of public key and private key, which only you as a user has access to your private key, it's almost like a bank vault, right? Just 'cause you have one key doesn't mean that you can unlock that vault. And so, with both keys present, then we can actually see into the content. And actually, what that means is even as the provider, 1Password, we actually can't see into your credential vault. So, please make sure that you don't lose your private key and your recovery key, otherwise we'll have to have a longer conversation. And of course, any operations that we do on to your credentials actually all happen within a confidential computing enclave that we built in-house. And so, that means every memory is separated from storage, so we can't see what's happening to your credentials. And that we use, for example, when you're auto-filling credentials on the browser. Soon, for example, when we have agents handling credentials, all of that is gonna be done inside our confidential computing platform.
Ryan Donovan: Is it still open to brute force attacks? And are those brute force attacks even reasonable?
Nancy Wang: I'd have to probably ask my crypto expert here, but I would imagine, given that we've had a zero-breach history, that we've probably had the team thinking about this.
Ryan Donovan: I know that there's certain cryptographic methods, like the SHA 256, which are basically unbreakable, and using a PGP-type key probably helps. So, you have, for the credential store, you have a sort of private public key that works the same for agents.
Nancy Wang: So, with agents, at least right now, the design thinking is [that] most agents can be associated back to your human. And so, this is where, as the soon human agent-centric credential store for the global world—I can't even say workforce because we have actually millions of consumer customers as well in addition to enterprise users. And this is actually one of the ways that 1Password is special, and why I joined the company, is it's very rare to have that split across two segments, very different segments, in the cybersecurity world. So, in that case, if you're an agent and you are delegating authority to your agent, then you've already authenticated into 1Password as yourself. This public, private key.
Ryan Donovan: As we've seen with the Open Claude, one of the superpowers of it is you basically give it access to everything. Are there ways to put some guardrails on that access to everything, so it's not like texting credit card number to all your friends, basically?
Nancy Wang: Yeah, so this goes back to isolation of runtime environment, right? So, if your runtime environment is isolated, and again, the demo really, I showed this in action– if an agent is only given access to certain file paths, for example, then that's one way to restrict access. Obviously, I think that thinking will continue to evolve. Another interesting thread, maybe what we can pull on in the future, is also how: do the underlying substrates evolve as agent access becomes more prevalent? So, today we often think about file system, either as, let's say, Amazon S3, which object store, but could be used as a file system, or elastic file system, or the– as agents get more prevalent in doing code generation activities, or even acting as infrastructure engineers, do the underlying substrates, like S3, become S4? So, that's the thinking is, do they also evolve to meet the security needs of agents?
Ryan Donovan: Do you expect everybody with their Mac Minis, do you expect Mac Mini to evolve their underlying file system substrate to just make it a parkette system, or whatever?
Nancy Wang: I would hope so. Certainly, with my security brain, I would certainly hope so, such that, Jason, who wrote the blog, shared with me that he had just installed it on his personal laptop a few days before writing the blog, and it started autonomously texting his wife and asking her about her day. That's obviously a very benign use case but imagine if that Open Claw now suddenly had access to your email, and was actually sending out emails on your behalf from your work laptop. That certainly enters a whole new era.
Ryan Donovan: Sure. That's a weird future where it's sending messages to your spouse or whatever. Do you ever wonder that this level of local agent access is a bit too dystopian?
Nancy Wang: I think this goes back to what we talked about earlier, which is at this point, people are so drawn– the productivity gains available via AI, that they're just going for it. They're gonna use it whether or not you firewall them or not. And so, I think Claw was a great use case, just given how viral it's gone, how many stars on GitHub, it's trending, right? I think it reflects that emotional urge from human beings of, we're gonna use this to help us have a better quality of life. Now, with that said, that's gonna give rise, as we talked about during this episode, to a whole slew of problems around access, around blast radius, around unrestricted permissions of access that are gonna come as an afterthought. So, for all those folks who did a run on the Apple Store for Mac Minis, [we] sincerely hope that they read our blog, and they capture things about how to not give it access to certain things, or how to restrict access or sandbox.
Ryan Donovan: For an individual user, is it a viable solution to have the swarm of 500 agents as a user access barrier?
Nancy Wang: I think it depends on who you are. If you're a hacker hobbyist, potentially because look, I think it'd be cool to spin up a swarm to build a browser in a day, or even to reimagine what the next evolution of our UI could look like, for example. I think those are all great use cases. Obviously, of course, there's also a lot of nuances involved with, for example, today our infrastructure operations – that could likely benefit from a s form of agents.
Ryan Donovan: Like you said, you also have a lot of consumer users, and I think I worry about once this sort of local agent phenomenon hits the regular consumer. My dad texted me today just to be like, 'Anthropic, do we need it? Is that a thing we need?' And I was like, oh, they're gonna get so beat up once they have agents access everything.
Nancy Wang: I guess my hot take for the future is [that] agents are gonna become almost like the equivalent of a thin client, with the model acting in the back as a server of some sort. And so, the question then becomes, what happens to essentially the UIs that we know of and are familiar with today? Will it just become skills that an agent calls, and in the future, instead of browsing the internet, which might already date us by the time this episode comes out, 'hey, what's the weather?' You might just simply your Claude, Claude Cowork or Claude Code or whatever you use, 'hey, what's the weather today, and should I bring an umbrella? Or if I don't have one, let's go buy one.' And what normally would take you browsing through maybe three websites like weather.com, amazon.com, with your credit card, could all probably be done via one prompt. I truly do think that as this starts becoming part of our everyday life, that becomes the way that we access most– I'm not sure if it's even called applications at that point, but most services.
Ryan Donovan: I almost wonder, on that, if the agent-ness, the AI-ness, is just gonna be hidden from everybody. I've seen agents embedded into SaaS applications as, ' here's a button, here's some config fields,' and just press a button. And it's not necessarily an agent; it's just a feature.
Nancy Wang: That could very well be what's true in 6 to 12 months, just given how things move around in this day and age. I used to say, ' I have predictions for the next three to five years.' No, these days I say I have predictions in the next three to six months.
Ryan Donovan: If you have a prediction for outside of the six months, what's your spiciest ones, or what is the one you think is most interesting to drop on people?
Nancy Wang: Yeah, the most interesting one is UX UI is not gonna be what it is today. As I mentioned, it's likely just gonna be an agent calling a skill, and I think the power or the influence is gonna come from folks who have data moats, because building an app itself won't be that hard anymore with platforms like Lovable and et cetera.
Ryan Donovan: I've seen things like the temporary UI, the sort of on-the-fly UI. Do you think that's a real possibility?
Nancy Wang: So, I know of actually this one company that's doing very cool things called Flint.ai – great founder, by the way. And what they're doing is essentially on demand, or dynamic front ends, right? Websites. That could be a thing. And certainly, it depends on how specialized we wanna be, which is, hey, Ryan comes to a website. We know that he is an airplane hobbyist, right? And so, if he goes shopping, we're gonna present him with things that appeal to him. That could be the way of the future.
Ryan Donovan: I've also thought that there's gonna be one sort of front-end piece to everything, right? One text box that has all the skills.
Nancy Wang: And this is where, as 1Password, we have over a billion credentials that folks have stored with us. So, that's truly our crown jewel, is the fact that we've stored them for a very long time, folks trust us with their digital lives, and the way that we continue keeping them secure is gonna be why they trust us to also keep their agents secure. This is why we're also doing a lot of work internally to make sure that we're up to snuff when it comes to post-quantum. That's another can of worms, I would say, as agent security platforms are evolving so, so quickly, the question around agent identities is gonna remain forefront. And certainly, the ability to, for example, do a chain of custody or tie an identity back to a human, to another machine, or to a corollary or a swarm of agents is gonna be the winning recipe. And so, I'm super excited to see, obviously, what we do at 1Password, but also the broader industry, and how we're gonna solve this challenge.
Ryan Donovan: It is that time of the show again where we shout out somebody who came on to Stack Overflow, dropped some knowledge, shared some curiosity, and earned themselves a badge. Today, we're shouting out the winner of a Populous Badge – somebody who came on to Stack Overflow, dropped a little knowledge, and had an answer that outscored the accepted answer by 10 or more points. Today, we're shouting out Benita Bari for answering, 'How to know the version of currently installed package from yarn.lock.' If you're curious about that, we'll have the answer for you in the show notes. I'm Ryan Donovan. I edit the blog and host the podcast here at Stack Overflow. If you have comments, questions, concerns, topics to cover, please email me at podcast@stackoverflow.com, and if you wanna reach out to me directly, you can find me on LinkedIn.
Nancy Wang: And thanks so much for having me today on the podcast, Ryan. My name is Nancy Wang, the CTO at 1Password, and if you wanna drop me a line on what you're thinking about, different agent identity methods, you can drop me an email at nancy.wang@1Password.com, or hit me up on LinkedIn.
Ryan Donovan: All right. Thank you for listening, everyone, and we'll talk to you next time.