The post calls this out:

> the 1Password browser plugin would have noticed that “members-x.com” wasn’t an “x.com” host.

But shared accounts are tricky here, like the post says it's not part of their IdP / SSO and can't be, so it has to be something different. Yes, they can and should use Passkeys and/or 1password browser integration, but if you only have a few shared accounts, that difference makes for a different workflow regardless.

Precisely. 1Password's browser integration would have noticed a domain mismatch and refused to autofill the password -- but in a panic, Kurt apparently opened 1Password and then copied/pasted the credentials manually.

Because CEOs at startups are notorious for trying to problem solve aggressively by "just" doing the thing rather than throwing it at a person who _might_ have made the same mistake, but might be more primed to be confused as to why they are not logged into x dot com and why 1password's password prompt doesn't show up and why the passkey doesn't work or whatever.

It's always possible to have issues, of course, and to make mistakes. But there's a risk profile to this kind of stuff that doesn't align well with how certain people work. Yet those same people will jump on these to fix it up!