I saw in another thread a suggestion to use Windows Hello even on the first unlock and the dev team's reasoning for not doing so. I get that it would involve storing the master password on the computer, and that's a generally undesirable situation. Without knowing too much about Windows Hello, I imagine that's the case for every password used in Windows Hello, and that those passwords must be stored in some cryptographically-protected storage within the computer. I believe - please correct me if I'm wrong - that the concern is storing the master password anywhere, not just within Windows Hello's password storage. In other words, it's not a slight against or concern with the security of Windows Hello, but rather a general concern.
So what about this? Assuming that it is possible to tell if the password is coming from Windows Hello, as opposed to user-entered, you could have 1Password generate a special Windows Hello-only password that is unique to both the user and the computer. Attempting to use this password to unlock 1Password through any means other than directly through Windows Hello will not succeed. This solves the requirement of not storing the actual master password anywhere. It keeps the Windows Hello password unique. And, again assuming that you can tell it's coming from a Windows Hello unlock request, it cannot be used to unlock 1Password any other way.
1Password Version: 7.4.767
Extension Version: 1Password X 1.19.1
OS Version: Windows 10 1909
Sync Type: Not Provided
Referrer: forum-search:windows hello first unlock