Bringing 1Password's security to AI agents
Overview
As the design lead on this project, I partnered with our PM and engineering team to define and ship a 0→1 product that enables AI agents to securely authenticate on behalf of users—without ever exposing their credentials.
The result was 1Password's first integration purpose-built for agentic AI—launched in partnership with Browserbase and covered by major tech publications including The Verge and TechRadar.
The Problem
Users want AI agents to automate tasks for them, but have limited options to grant access without exposing their credentials.
Users are forced to hand over credentials directly to AI agents in order for them to act on their behalf. This creates inherent risks and vulnerabilities as credentials are exchanged and utilised over insecure channels.
Security risks
Credentials exposed in logs, chat histories, or repositories risk data leaks.
Productivity loss
Manual secret handling slows teams down and diverts focus from building.
Adoption barrier
Security-conscious teams hesitate to automate without secure credentials.
The problem
Types of AI agents
As AI agents become more capable, they're being deployed in increasingly diverse ways. Understanding these different agent types helped us design a solution that works across the spectrum of use cases.
Browser-based Agents
Browserbase enters the chat.
1Password partnered with Browserbase – an AI agent browser platform – to develop an integration for their product Director.ai that would allow users to securely provide their credentials to AI agents.
I created a vision prototype to show Browserbase and internal stakeholders how an integration could work and how it would help both of our customers.
Research Insights
Speaking with 6 Browserbase customers to understand their needs.
Marta, the research lead on this project and myself teamed up with the Browserbase team to conduct a research study with 6 of their customers to understand how they are using Browserbase and how they are currently handling credentials when using agentic AI. Three distinct personas emerged from the research:
What we learned
MFA is a major pain point
Multi-factor authentication consistently disrupts automation flows for all user types.
Current methods are insecure or complex
Users either give plain text passwords to LLMs (insecure) or build complex integrations that are hard to maintain.
Brand trust matters
Users trust well-known security brands like 1Password over lesser-known alternatives.
The tl;dr
Individual users will sacrifice security for automation. Admins will sacrifice automation for security.
Why not MCP?
MCP wasn't the answer for credentials, so we built our own.
MCP servers are designed for general-purpose integrations—not for handling sensitive credentials. Exposing passwords through an MCP server would create a security vulnerability, as credentials could be logged, cached, or accessed by unintended processes. It was a pathway that we ruled out pretty early on.
Agentic Autofill takes a different approach. Credentials never leave 1Password's secure vault. Instead of passing secrets through the model context, 1Password injects credentials directly into the browser at the moment of authentication—keeping them encrypted and invisible to the agent itself.
The Prompt
The 1Password access request.
When an AI agent needs to authenticate, 1Password presents the user with a clear authorization request—showing exactly which service is requesting access and which credentials will be used.
1Password Access Requested
Allow BrowserbaseBrowserbase to use 1Password to
autofill 3 items on your behalf
The Requester
High visiblity given to the platform or AI agent requesting access to your 1Password item(s).
Choose a different item
If the Agent requests the wrong item, the user can choose a different item or remove it.
There were pros and cons to this approach of displaying a Just in Time Prompt (JITP) to the user via their desktop or mobile device.
Advantages
- Transparency: Users see exactly which credentials are being requested and by which service
- Trust: Leverages the trusted 1Password brand that users already rely on for security
- Control: Granular ability to approve, deny, or modify access on a per-request basis
- Security: Time-bound access and explicit consent reduce risk of unauthorized use
Trade-offs
- Interruption: Breaks automation flow—the very thing users are trying to achieve
- Prompt fatigue: Frequent requests from the same agent could lead to approval fatigue
- Cognitive load: Users must evaluate each request, which can be taxing during complex workflows
- Blocking: Agent workflow pauses until user responds, limiting autonomous operation
Prompt Design Guidelines
How do you design for something that's non-deterministic?
AI agents are inherently unpredictable. A key part of this project was defining guidelines that create predictable, trustworthy behavior when agents handle sensitive credentials—ensuring transparency, minimal access, and user control at every step.
Impact
Agentic Autofill was one of 1Password's most visible and successful launches to date.
The Secure Agentic Autofill launch with Browserbase generated significant media coverage, positioning 1Password as the trusted security layer for agentic AI.
“It remembers the passwords that you can't, and hides them from AI bots that can't be trusted to forget.”
The Verge
What about usage?
Actual usage was low – but that was never the goal.
That wasn't surprising or unexpected news for our team given a couple of factors:
- The user needs to have both a Browserbase and 1Password account.
- The user needs to use the specific Director.ai web interface.
So usage was never a success factor for this project. Success was measured on how successful the launch was as a means of publicly positioning 1Password as the trusted security layer for agentic AI, and therefore paving the way for future integrations with other platforms and use cases.
What's Next
From Browser Agents to Autonomous Agents.
The Browserbase integration was just the testing ground. We're now exploring how 1Password can securely provide credentials to fully autonomous agents that operate independently—without human oversight or real-time approval flows.
This raises new design challenges around trust, delegation, and control. How do you grant an AI agent access to sensitive credentials when there's no human in the loop? We're actively researching policy-based access controls, time-bound permissions, and audit trails that give organizations confidence to automate at scale.
