1Password for the age of AI agents
Overview
As the design lead on this project, I partnered with our PM and engineering team to define and ship a 0→1 product that enables AI agents to securely authenticate on behalf of users—without ever exposing their credentials.
The result was 1Password's first integration purpose-built for agentic AI—launched in partnership with Browserbase and covered by major tech publications including The Verge and TechRadar.
The Problem
Users want AI agents to automate tasks for them, but have limited options to grant access without exposing their credentials.
Users are forced to hand over credentials directly to AI agents in order for them to act on their behalf. This creates inherent risks and vulnerabilities as credentials are exchanged and utilised over insecure channels.
Security risks
Credentials exposed in logs, chat histories, or repositories risk data leaks.
Productivity loss
Manual secret handling slows teams down and diverts focus from building.
Adoption barrier
Security-conscious teams hesitate to automate without secure credentials.
The problem
Types of AI agents
As AI agents become more capable, they're being deployed in increasingly diverse ways. Understanding these different agent types helped us design a solution that works across the spectrum of use cases.
Browser-based Agents
Browserbase enters the chat.
1Password partnered with Browserbase – an AI agent browser platform – to develop an integration for their product Director.ai that would allow users to securely provide their credentials to AI agents.
I created a vision prototype to show Browserbase and internal stakeholders how an integration could work and how it would help both of our customers.
Research Insights
We teamed up with the Browserbase team to conduct a research study with 6 of their customers to understand how they are using Browserbase and how they are currently handling credentials when using agentic AI. Three distinct personas emerged from the research:
What we learned
MFA is a major pain point
Multi-factor authentication consistently disrupts automation flows for all user types.
Current methods are insecure or complex
Users either give plain text passwords to LLMs (insecure) or build complex integrations that are hard to maintain.
Brand trust matters
Users trust well-known security brands like 1Password over lesser-known alternatives.
The tl;dr
Individual users will sacrifice security for automation. Admins will sacrifice automation for security.
Why not MCP?
MCP isn't the answer for credentials – agentic autofill is.
MCP servers are designed for general-purpose integrations—not for handling sensitive credentials. Exposing passwords through an MCP server would create a security vulnerability, as credentials could be logged, cached, or accessed by unintended processes. Not ideal.
Agentic Autofill takes a different approach. Credentials never leave 1Password's secure vault. Instead of passing secrets through the model context, 1Password injects credentials directly into the browser at the moment of authentication—keeping them encrypted and invisible to the agent itself.
Prompt Design Guidelines
How do you design for something you can't control?
AI agents are inherently unpredictable. A key part of this project was defining guidelines that create predictable, trustworthy behavior when agents handle sensitive credentials—ensuring transparency, minimal access, and user control at every step.
Impact
Agentic Autofill was one of 1Password's most visible launches to date.
The Secure Agentic Autofill launch with Browserbase generated significant media coverage, positioning 1Password as the trusted security layer for agentic AI.
“It remembers the passwords that you can't, and hides them from AI bots that can't be trusted to forget.”
The Verge