Using Windows Hello to unlock 1Password every time

I saw in another thread a suggestion to use Windows Hello even on the first unlock and the dev team's reasoning for not doing so. I get that it would involve storing the master password on the computer, and that's a generally undesirable situation. Without knowing too much about Windows Hello, I imagine that's the case for every password used in Windows Hello, and that those passwords must be stored in some cryptographically-protected storage within the computer. I believe - please correct me if I'm wrong - that the concern is storing the master password anywhere, not just within Windows Hello's password storage. In other words, it's not a slight against or concern with the security of Windows Hello, but rather a general concern.

So what about this? Assuming that it is possible to tell if the password is coming from Windows Hello, as opposed to user-entered, you could have 1Password generate a special Windows Hello-only password that is unique to both the user and the computer. Attempting to use this password to unlock 1Password through any means other than directly through Windows Hello will not succeed. This solves the requirement of not storing the actual master password anywhere. It keeps the Windows Hello password unique. And, again assuming that you can tell it's coming from a Windows Hello unlock request, it cannot be used to unlock 1Password any other way.

1Password Version: 7.4.767
Extension Version: 1Password X 1.19.1
OS Version: Windows 10 1909
Sync Type: Not Provided
Referrer: forum-search:windows hello first unlock


  • bundtkatebundtkate

    Team Member

    Unfortunately, @PG79, I don't think that would work. You may know some of this stuff already so forgive me if I'm being repetitive, but I don't want to gloss over anything either so I'm erring on the side of too much detail over too little. You see, only your Master Password (or, more accurately, your Master Unlock Key which is derived from a combination of your Master Password and your Secret Key) can unlock 1Password. Unlocking 1Password isn't like signing into a website. When you sign in to most sites, what you're doing is proving that you're you. You provide something the site believes only you have and it says, "Great, thanks, here's you're stuff!" This can be your actual password or it can often be something else you and the site have agreed is equivalent to your password, like a token showing you've signed into an account using SSO.

    1Password, on the other hand, is actually incapable of giving you your stuff unless you explicitly give it your Master Password. Your Master Password may be viewed as proving you're you, but it is also the missing piece in the math equation that allows 1Password to decrypt your data and transform it from random blobs to the stuff you see in your 1Password apps. If you give it anything other than your Master Password, the math won't work and 1Password can't unlock. There is simply no getting around storing your Master Unlock Key if we want Hello to work.

    With that said, there isn't a genuine objection to storing that key anyway. It's something that needs to be done to make always-on Hello work and we already do this for Touch ID on Mac and iOS as well as temporarily for allowing Windows Hello at all. The issue isn't that we don't want to do that, it's that if we're going to store that Master Unlock Key persistently, rather than only while 1Password is running, we need to be extra sure we're choosing an adequately protected location that will be available regardless of hardware. Windows provides a number of possible options here so the remaining task is to do our due diligence and make sure we're make a solid and secure choice that fits our criteria. So, in short? We'd be thrilled to have this work, but taking that step takes some time so it's a matter of the stars aligning where everyone who needs to give such a location the thumbs up has the time to dig in. The security team, in particular, often has a lot of demands on their time so these sorts of decisions often don't get made quickly and probably universally take longer than our customers would like. But, these things are on our radar and we're continually monitoring for that chance to get it done. I won't say it will happen any time soon – it may not – but you can at least rest assured that there's no fundamental objection to having Hello work out the gate. We just want to be extra sure we're handling it properly and that takes time.

  • PG79PG79
    edited May 22

    Thank you for the detailed response! I didn't realize that the master password was part of the crypto protecting the vault(s). That makes a lot of sense with respect to why it's needed vs. any other solution. As a Windows user, I see a lot of value in Windows Hello, and I think sometimes Microsoft gets a bad rap for coming up with solutions (sometimes very good solutions) and subsequently abandoning them. Sometimes this is management's fault, but a lot of times it's because nobody is using them - either due to lack of developer interest, lack of user interest, or sometimes just being a bad implementation.

    Without developer interest, I feel like Windows Hello will end up going the way of the dodo (hopefully not), before it ever gets to the point of ubiquity. I totally get that everyone wants to sign off on using it before any commitment is made, and there are a lot of demands being placed on the team that outweigh this. But it does make Windows users feel a little like second class citizens, with our "also-ran" OS-level security solution. :(

    Thanks again for the response!

  • bundtkatebundtkate

    Team Member

    For whatever it might be worth, @PG79, I read (the headline of) an article the other day mentioning that Chrome was going to allow users to auth with Hello prior to filling payment info saved in Chrome, so it looks like there is some adoption ramping up and potentially some interesting stuff in the wings from Microsoft. I've also felt in the past like the slow adoption of Windows 10 by us stubborn Windows users was part of the reason some of its newer features were largely unused so I've got my fingers crossed that having ended support for Windows 7 will also help ramp things up. Here's hoping!

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file