USB Fingerprint reader [Windows Hello might make this easier for us but no promises]
Comments
-
If we want to support a fingerprint scanner (or face recognition), then we would have to store your master password (or your encryption keys) somewhere. On Windows, I do not see how and where we can do this securely. As a matter of fact, I'm a strong believer of NOT storing your master password anywhere -- not even in computer memory.
All you'd have to do is use the unique signature that a fingerprint scan produces to encrypt the master keys, either solely or in combination with a master password.
Granted, that might only work on a single device, depending on how consistent the scanners are in the their output. The alternative is to encrypt the master password using the finger scan data and store it locally on each device.
0 -
All you'd have to do is use the unique signature that a fingerprint scan produces to encrypt the master keys
@RichardPayne Where is this unique signature and who has access to it?
The last time I checked out face recognition, there is model that they compare against, and then they tell you whether they think your scan matches the modal (or not).
The alternative is to encrypt the master password using the finger scan data and store it locally on each device.
@RichardPayne I don't think that would work because every time you scan, you get slightly different data.
0 -
Fair enough @svondutch. I'm not entirely familiar with fingerprint scanners. I had thought that they must reduce your print to a unique value in some way. If that's not the case then it would be difficult to handle.
0 -
So they way a fingerprint scan works is that you generate effectively a 2d spacial representation of interesting features. These features can be a variety of things but generally boil down to being where ridges end, split, etc. Collectively these features are called minutiae. Complications arise in how complete a given scan is and thus how many different minutiae points are in a given scan. Generally a given fingerprint authorization system will require some number of matching minutiae features and the correct orientation of those features.
But as with all things biometric, esp fingerprints, its generally a good idea to also have another secondary authentication method, at the very least a pin. Esp since with something like 1password, the odds are that viable fingerprints will exist on the device.
0 -
Having been a Thinkpad and Bitlocker user for a few years, fingerprint readers and encrypted drives seem like a normal thing to me. I was delighted to see you taking advantage of this on the iPhone. I understand there are some development challenges in Windows to make this secure enough, but I would hope in Windows 10 that you would focus in on finding a way to do this, at least for your users who are checking off all the boxes to maintain a secure device.
0 -
but I would hope in Windows 10 that you would focus in on finding a way to do this, at least for your users who are checking off all the boxes to maintain a secure device.
It is too early for us to say anything about Windows 10 and its Hello feature, we haven't looked at its API just yet. If there is a way to do this securely for our desktop application, than we'll consider it, just like we did for the iPhone and will do for Android devices with built-in fingerprint scanners.
0 -
I've been a happy longtime 1Password user on iOS/OS X and now Windows 10.
My ThinkPad Helix and ThinkPad T440s each have a fingerprint reader built in so I would love to be able to use it to log into/activate 1Password in Chrome on Windows 10.
The user experience on my iPhone 6 Plus is what I want on my Helix. Having to type the master password every time I wish to log into a website knowing that I have a fingerprint reader on-board is frustrating. Every time I do it I make two mental notes: 1) check the AgileBits Forum to see if fingerprint support for Windows is being added and 2) look for 1Password alternatives which offer fingerprint support.
Microsoft's new 'Windows Hello' feature in Windows 10 appears to be just what the doctor ordered but staff comments in this thread indicate that there are obstacles to using fingerprint readers in 1Password for Windows.
I'll keep checking back here - you guys haven't let us down yet!
Thanks very much!
peter0 -
Hi @PeterNorman,
Microsoft is making progress in the right direction such as requiring TPM for securing the biometric data in a hardware solution, requiring certain levels to be met to qualify for Hello support, however it does fall back to the software method if TPM doesn't exist. The question is, can that be blocked by default per app and so on. We have to investigate to make sure this is feasible for us. Hopefully, we'll have some news in the near future about this.
0 -
Hello MikeT!!
Thank-you for your reply! Its good to know that Microsoft is making it easier for third-party devs and that AgileBits is investigating it.
The absence of TPM on most consumer hardware will make it:
- harder for AgileBits to support Fingerprint authentication for ALL 1Password for Windows users
- easier for those users with TPM hardware
Hopefully as Microsoft's new "Windows Hello" and "Passport" features (link) mature, third-party devs will find it easier to support Fingerprint readers - they're so convenient!
Thanks again MikeT!
Peter0 -
Hi @PeterNorman,
The absence of TPM on most consumer hardware will make it harder for AgileBits to support Fingerprint authentication for ALL 1Password for Windows users and easier for those users with TPM hardware
Yea, that's why it is not going to be a decision we can make on day one. We have zero issues adopting it on iOS platform because of the mandated hardware CPU support (there's a special secure enclave that stores the hashed fingerprint database). With both Windows and Android adopting biometric support systemwide later this year, we have a lot of investigation to do.
0 -
@RichardPayne I realize your post is two years old but I had to answer :-) If I wanted to rob you, I can put a gun in your head and force you to give me your password and btw, that's exactly what this cartoon "http://xkcd.com/538/" is all about. They don't mention a fingerprint reader but specifically mention a password. A fingerprint reader is just a more convenient way to do it than typing a long 32+ characters password.
0 -
Hi @farhaddad,
Thanks for sharing your thoughts. There are also a lot of legal issues going on in US where fingerprints can be compelled by the government without a warrant while the passwords are in your mind and therefore, can be protected by the fifth amendment.
It's going to be an interesting decade ahead of us with a lot of focus on the privacy, encryption and digital rights now.
0 -
I hope so, it seems the EU is also getting in the game right now. Snowden has started a spark.
Although, we should create a separate discussion thread if anyone wants to talk more about this as we at AgileBits love to talk about these topics. We have the lounge forum if any one wants to keep this going.
0 -
I know this is slightly off topic but with Windows Hello, do you think there could be support for the camera/facial recognition technology? I have a Surface Pro 4 and am amazed at how awesome it is to use the facial recognition as a way of validating my identity.
0 -
Hi @jace88,
That's what Windows Hello is, it uses your biometric devices to authenticate yourself. It's an API that lets the Universal Windows Platform (UWP) apps use Windows 10 to handle the authentication process. In the case of Surface Pro 4 and Surface Book, it uses the camera setup for Windows Hello or for Surface Pro 3/4, the fingerprint scanner on the specific Type Cover 4 keyboards for those who prefer using that instead.
Unfortunately, for now, Windows Hello doesn't seem feasible for us to use in our desktop version, it works right now for our UWP beta version available in the Windows 10 store.
0 -
I really, really hope you find a way to support fingerprint hardware because that is what makes using a computer in public spaces much more secure. I don't want a camera grabbing me typing usernames and passwords on my machine. That's why I have a laptop with fingerprint stick. And I would feel much more comfortable if i could use it for unlocking password databases, esp. those I would pay for.
0 -
Hi @sniem,
We'll keep looking but for now, there are more dangers of storing your master password in an unverifiable safe place on the disk than there is from the shoulder surfing attacks.
Even if someone capture your master password on camera, they still have to breach your systems (either your laptop's disk or the cloud service account if you're syncing) to get the data file to decrypt it. However, if we add support for the fingerprint scanner and the master password is stored insecurely, breaching your laptop remotely or physically is all they need to do to get your 1Password data.
In person, they could just break in and force you to put your finger on the scanner to get the data, easier than asking you to reveal the password. There have been cases of Touch ID on iPhones being bypassed completely because the owner was sleeping and a kid used his hand to unlock the phone.
There are tradeoffs in every situation, we are constantly balancing this and right now, we don't feel safe to add this support for the classic desktop version of 1Password. Things may change over time but for now, it is not likely to happen in the near future. You can see more from Stefan, our Windows dev, here: https://discussions.agilebits.com/discussion/comment/199879/#Comment_199879
The Windows 10 Store version of 1Password uses Windows 10's Hello API as a temporary method for unlocking 1Password while it is still running in memory and it is still a beta feature for now. As far as we can tell right now and we can be wrong, it is limited to the Universal Windows Platform apps.
0 -
Good and valid points, thanks for sharing your thoughts! :)
0 -
You're welcome!
0 -
Wondering about the status of OSX USB support for unlock? I'd also need Windows USB support in 10VM's. I normally unlock now with Android Nexus N beta on a 5X (works well, thx!) Want to buy a new mobile USB fingerprint reader since Apple MBP's don't have it built in yet :)
0 -
Hi @coreygo,
If you're asking about our Mac version of 1Password, we don't support biometrics there either. The only 1Password apps that do are our iOS, Android, and Windows 10 versions.
There are rumors Apple might use your iOS devices to unlock your Macs, which would be nice.
We do have a request in our system to investigate the use of our iOS/Android apps to unlock 1Password remotely on the desktops. It is something we want to consider but we need to test it throughly first.
0
