Feature Request: Always-on Windows-Hello secured through system specific trust-anchor


I have seen a lot of requests for a always on Windows-Hello up to now here, but as you always mention, this isn't that easy to secure the masterkey for the Windows feature then.

So, my question or request ist:
Is it possible to use for example enterprise grade (more or less) features like a TPM chip to create a "trust-anchor"? (I have seen this e.g. as a certificate, which is bound to a key in the TPM chip)
As I understood it Windows has some kind of SDK for TPM.
Or maybe there are also other trust-anchor solutions which don't require a TPM chip.

Maybe there is a way to secure a general Windows-Hello login in the future :+1:
I would definitely look forward for something like that :chuffed:


1Password Version: 7.3.702
Extension Version:
OS Version: Windows 10 1903 18362.239
Sync Type: Dropbox


  • bundtkatebundtkate

    Team Member

    The short answer, @lumarel, is that there are probably several ways always-on Hello would be possible, but the where and how is really only half the story, if that. The real blocker is time to do the proper research so that we can assure ourselves we can implement this securely. As you alluded to yourself, things like the widely varied hardware running Windows complicate that research since the answer can't be as simple as "use the Secure Enclave" like on Apple devices, but I'd there's a good chance there is a solution out there that we could find given adequate time. Time is something the team is pretty short on right now, but once we wrap up some of the projects eating that time, I'd expect we'll spend some of what's freed up giving this some deeper thought and dig a lot deeper into some possible solutions.

    This isn't meant to dismiss your idea at all. I honestly wouldn't even consider myself qualified to make an assessment of any specific strategy. I'm moreso wanting to point out that timing and resources play a bigger role in always-on Hello not being available sooner than any specific technical challenge. Once we dive deeper into that research, we may well find there is a technical challenge that does need addressing, but right now we only really know that we don't know enough. This discussion will likely get a lot more interesting once we know a bit more. :chuffed:

This discussion has been closed.