The AI browser security gap: Comet and 1Password partner to protect credentials

Recent innovations suggest that AI will soon be at the heart of web browsing, guiding users directly to information rather than forcing them to scroll through pages and links.

When that becomes reality, so-called AI-native browsers — Comet, Arc, Dia, Andi, and others — will be able to handle tasks that traditional browsers were never designed for, such as accessing sensitive data on their own, and potentially making decisions without explicit instructions.

This requires a whole new approach to security, according to 1Password. The identity security company has partnered with Perplexity to incorporate credential management, secure autofill, and access controls into Perplexity’s AI-powered web browser, Comet.

“A browser with AI-powered capabilities can provide organizations with real value when it comes to credential management, without compromising the browser experience,” said Ahmad Jowhar, a research analyst at Info-Tech Research Group.

Privacy-first browsing in the age of AI

The new Comet-compatible browser extension is free to all 1Password customers, who can log into sites on Comet via usernames, passwords, and 2FA codes, autofill credentials, and can securely use saved credentials across devices, browsers, and operating systems.

The idea is “privacy-first browsing,” where users maintain control over not only what AI can access, but when and why, according to 1Password. The extension generates and saves strong, unique passwords and passkeys, and provides end-to-end encryption and a zero-knowledge architecture. Credentials stay private even when users engage with AI features.

“Building a personal AI assistant comes with new security challenges, because a truly personal assistant also needs personal information to do great work,” the Perplexity team wrote in a blog post describing the partnership.

The new offering is built on the set of security principles guiding 1Password’s approach to AI, as laid out by its VP of product and AI, Anand Srinivas. First is “secrets stay secret…no exception,” meaning credentials must always be delivered via end-to-end encryption.

Second, the platform is least privilege by default, with temporary and time-sensitive access windows and session-specific authorizations. Those authorizations must be deterministic and dictated by humans; large language models (LLMs) can only authorize when governed by “predictable, rule-based flows.”

This means that the model itself does not have access to credentials in the 1Password vault. So, when prompted to log into AWS, for instance, it must follow a separate, well-defined, permissioned flow via OAuth or a dedicated credentials broker tool. Users must see prompts that they can understand, and know exactly what they are granting access to.

Additionally, raw credentials should never enter the LLM context. “Raw secrets have no place in prompts, embeddings, or fine-tuning data,” Srinivas emphasized. Sending credentials over an LLM-driven data channel is “the equivalent of typing into its prompt: ‘My API token for AWS is XXXXX, please go ahead and use it on my behalf.’”

Auditability is also critical; all actions must leave an audit trail so that enterprises have visibility into who (human or synthetic) accessed what, and what actions took place, according to Srinivas. “There will be no hidden AI decision-making, silent escalations, or vague ‘powered by AI’ labels without explanation.”

Info-Tech’s Jowhar added, “The incorporation of intelligence and security into a browser or extension means that users are safely supported in their behavior in real-time, and security protocols can accommodate detection in a more intelligent manner.”

A new generation of technology

Analysts noted that 1Password’s Comet browser extension represents a shift in security tools to meet the more complex needs of AI agents that perform actions for users across the web.

In other scenarios, companies are authorizing AI agents to securely interoperate with each other and with their human coworkers. In a new Microsoft-Workday partnership, for instance, agents receive a Microsoft Entra Agent ID, a verified individual identity for which administrators can specify access and permissions. Workday’s agent system of record (ASOR) then provides business context for operations, allowing agents to coordinate with one another.

It’s smart for companies like Microsoft, Workday, 1Password, and others to be thinking about secure ways for agents to authenticate when performing actions for humans, noted David Shipley of Beauceron Security. It eliminates the need for yet another “digital vault” where credentials are stored, and that can be accessed by legitimate users or malicious actors.

On the other hand, “it’s never been clearer that we need to be able to track real human behavior versus bot behavior, and using the same identity and access for both is going to make that even harder,” he said. Differentiating them will be vital, as agents will confuse current state-of-the-art fraud detection technologies.

“We need a whole new generation of technology to detect normal agent versus malicious agent activity,” said Shipley.

LLM-based agentic technologies have “huge potential inherent security flaws,” and security efforts could result in a great deal of expended compute and energy while opening a huge door for new attack types, he noted. Further, there’s evidence that LLMs can be socially engineered “just like, or maybe even better” than humans, who can at least be educated on the dangers.

Info-Tech’s Jowhar also pointed out that extensions, in general, have become a security risk. Research shows that nearly all employees use browser extensions with often elevated permissions that may reveal sensitive information, including cookies and passwords.

“A lot of extensions are from non-verified publishers, or they weren’t maintained, both of which are a risk,” he said.

For IT leaders and developers, the challenge is to innovate while maintaining a standard of diligence in security, said Jowhar. This might involve determining the trustworthiness of the publisher, reviewing extension permissions, or developing governance policies such as allowlisting of approved extensions.

While browser-based protections and implementations address risks during a time of disruption, identity-based strategies will focus on access and authorization to ensure risks do not enter the environment, he said.

“A layered strategy that combines browser protection with identity protection will give users the ability to access information in a productive way and not stifle innovation, while securing and protecting against risks,” said Jowhar.