Can a fingerprint reader in Windows be enabled to unlock 1Password for Windows?

I am a former lastpass premium user, and one of the things I really liked about Lastpass was the ability to unlock my lastpass account using my fingerprint on my computer. I know you already have support for Touch ID on iOS, so I wanted to see if you were considering adding this for Windows as well?


1Password Version: 6.6
Extension Version: Not Provided
OS Version: Windows 10 - 1703
Sync Type: Not Provided

«1

Comments

  • bundtkatebundtkate

    Team Member

    Hey there, @hankinsd! We've definitely thought about it, but I don't have a timeline on when it might be released just yet. I'll add your +1 for this feature, though! :chuffed:

  • svondutchsvondutch

    Team Member

    @hankinsd I recently wrote this about a fingerprint reader for 1Password for Windows.

  • I'd like you to add another +1 to this request. :)

  • GregGreg

    Team Member

    @KenBonny: Thank you for chipping in! :+1: It is not an easy feature to implement, so please stay tuned. Thanks again!

    Cheers,
    Greg

  • Another +1 for fingerprint to unlock. Readers are much more affordable now.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @igotkilled,

    Thanks for your vote.

    It's not about the price or availability of the readers, it's about the security of storing your encryption keys to your 1Password data in the hands of the said readers. It's like giving the keys to your deposit boxes to the security guard in the bank, which he'd only give up as soon as he sees your ID.

  • @MikeT

    Is it not the same problem on the phone where you happily use the fingerprint readers available?

  • brentybrenty

    Team Member

    @tofalck: iOS (and macOS, in the case of TouchBar Macs) store a representation of the fingerprint in the Secure Enclave. No apps have access to that. This does not exist on Windows. There are some similar features in Intel chipsets, but those do not have the same level of integration with the OS as Apple has already. Microsoft has done some things like this using Windows Hello, but that is not available to desktop apps, which 1Password must be to integrate with web browsers. It's definitely something we're interested in, but we'll only "happily" use it if it meets our security requirements as well as usability. Cheers! :)

  • The "Protector Suite 2012" program (now deceased AuthenTec, Inc.) is still working well with all versions of Windows (including Windows 10), despite the suspension of support. Why 1Password still not able to repeat this functionality.

  • brentybrenty

    Team Member

    @Diktis: I'm not sure I understand. If you're asking if we will support individual hardware sensors, that's infeasible. And certainly I don't think it would make sense for us to build support for a product that has been discontinued.

  • @brenty: I'm talking about a program to store passwords with, a fingerprint authorization.

  • LarsLars Junior Member

    Team Member

    @Diktis - As you said, it looks like that program has been discontinued and AuthenTec's website appears to be down completely. I didn't have any experience with it when it was live, but I feel fairly sure we're not going to try building compatibility for a discontinued authentication suite.

    If what you're asking is: why don't we replicate this functionality on the Windows platform, it's because we've never done that on any platform; on both Android and iOS - and now, Mac - we rely on the system's security, not on either third-party authentication implementations or on trying to build that functionality ourselves. I can't say what might be coming down the road in the future in this regard, but I do think that Windows' users energy around such a solution should be directed more at Microsoft than at individual app developers, as they're likely the only ones who can provide a demonstrably secure implementation of such a thing.

  • DiktisDiktis
    edited December 2017

    @Lars, Unfortunately, at this time, your application is safe only in isolation. When using a computer in a public place where there are people or cameras, 1Password without a fingerprint or tokens makes insecure not one but all the user's passwords at once. Especially if the passwords are stored in the cloud.

  • bundtkatebundtkate

    Team Member

    @Diktis: Even if someone did obtain your Master Password by looking over your shoulder in a public place, they would still need access to your data itself to compromise even one of those passwords. What good are keys if you have no safe to unlock? Depending on whether you have a 1Password membership or a standalone vault how one might go about retrieving that data is different, but a significant obstacle remains regardless.

    With a 1Password membership, that person would need your Secret Key (which you don't type to unlock 1Password) in addition to your Master Password to get access to your passwords on 1Password.com and would need your data directly from your computer to use your Master Password by itself.

    With a standalone vault, they would need to retrieve that data from Dropbox or your local machine, depending on your setup, which means they'd need access to your computer (at which point you have a bigger problem on your hands) or acess to your Dropbox account in addition to your Master Password.

    Compare this to someone simply watching you sign in to your e-mail account were you not using 1Password. With access to that single account, they may be able to reset several of your passwords and take over accounts from there. Certainly, it's important to protect your Master Password. It plays a key role in keeping your vault safe and you should take whatever steps you can to keep it secret. We do understand your concern and it's not one we want to minimize, but we need to balance this against other concerns like disclosing secrets that can be used to access your data to a third party fingerprint reader, as others have mentioned above.

    As Lars pointed out, the fact that macOS, iOS and Android allow us to access the OS's biometrics systems allows us to safely and securely store a secret that allows you to unlock with your fingerprint, which is great. I Windows provided something similar, we'd be happy to use it, but at present Windows Hello isn't available to desktop apps, which means supporting it would prevent 1Password from working in Firefox and Chrome and Windows 7 users would be left out in the cold. We hope to be able to take advantage of Windows Hello in the future, but when and if that will be feasible depends on several factors ranging from Microsoft supporting Windows Hello for desktop apps to greater adoption of Windows 10 among Windows users. This isn't off the table by any means, but it's just not something that is feasible right now and we simply aren't comfortable storing secrets with any number of third parties while we wait for changes in the landscape.

  • brentybrenty

    Team Member

    Unfortunately, at this time, your application is safe only in isolation. When using a computer in a public place where there are people or cameras, 1Password without a fingerprint or tokens makes insecure not one but all the user's passwords at once. Especially if the passwords are stored in the cloud.

    @Diktis: You're not wrong, but you're avoiding the fact that this is true of all applications, not just 1Password. If you're using a compromised machine, all bets are off. Anyone who tells you they can protect you in that scenario is either dishonest or deluded. Stay safe out there.

  • @brenty: I'm not talking about a compromised computer. I use my laptop in various public places: traveling, working with clients, at presentations. I don't want to publicly type my password from 1Password when accessing various resources. So I have to use an alternative program that I can to use my finger for authorization.

  • brentybrenty

    Team Member

    @Diktis: Ohh, thank you for clarifying. Indeed, that's a different kind of threat, but the same applies regardless of whether or not you use your "finger for authorization": if someone would be able to see what you're typing as you enter your Master Password, they can also see as you access information stored in 1Password after you've unlocked it. There are a lot of great screen protectors with filters for privacy (to prevent off-angle viewing from someone next to you on a place, for instance) which, again, are useful not only for 1Password but for everything else you're viewing on the screen. After all, having 1Password login you into your bank, while that would probably prevent someone from seeing your actual password, would allow them to see everything on the screen, such as account numbers and personal information. Better safe than sorry! :)

  • Any possibility of having a UWP app on the Windows store? I believe if you have a UWP app Microsoft allows you to use the Windows hello feature that would then allow biometrics/face unlock.

    I see a few other password managers such as Enpass and Kepper have an app on the store that advertises this. I would love to use biometrics with 1Password so I could have much lower idle times before automatically locking my vault.

    Huge +1 to the idea of a UWP 1Password app!

  • bundtkatebundtkate

    Team Member

    @Mark95: We've toyed with the idea of a UWP app and even released an alpha at one point, but UWP really didn't provide the feature set we felt we needed to build an app we were happy with at the time. A move to UWP would also leave us maintaining two Windows apps (desktop and UWP) at best and leaving Windows 7 customers in the cold (UWP only) at worst. Plus, Windows Store apps cannot interface with browser besides Edge, so no Chrome, no Firefox. UWP does offer some cool features, and we've continued to explore the possibility, but given the current limitations there and the need to continue supporting folks on Windows 7, we haven't felt the timing is right to take that plunge. We'll re-evaluate as the landscape changes (maybe Microsoft opens up UWP a bit more or folks start moving more agressively to Windows 10), but right now it's not something we're considering for the near future.

  • @bundtkate Ah I see, I wasn't aware of the restrictions especially with browser integration. While the fingerprint support and quirks would be great, I do hope some form of multi-factor is added when accessing the vaults hosted on 1Password, Google authenticator for example would be a nice addition.

  • bundtkatebundtkate

    Team Member

    @Mark95: It's a difficult choice to make to be sure. I really wish we could have it both ways and maybe one day we can, but for now both paths come with sacrifices and we just feel like the UWP path comes with too many. I'm a Windows loyalist myself, so I share your yearning for some of these things on Windows and have my finger crossed they will all be a reality one day.

    As for MFA, that's a common topic and the subject of many a conversation around the virtual water cooler here. We beta tested Duo integration with 1Password Teams customers and are still tossing around a few ideas, so I'll be sure to pass along your support for MFA options. :chuffed:

  • Another +1 for fingerprint to unlock. Wanted to keep the topic going.

    Thanks to the Team Members!!

  • bundtkatebundtkate

    Team Member

    :chuffed::+1:

  • I don't know if there's any value at all in +1s, but I registered in the forum just for that. Having no other way to unlock makes me choose between having a master password that's easy to type, or disabling automatic lock, neither of which I'm happy with. Even just a PIN would be better, but biometric is preferred of course, and Hello is the best case if that's ever an option.

    As someone mentioned in a different thread, I would be already happier if I could use my fingerprint to unlock 1p when it locks, but still had to type the master password on login (or if I restart 1p) — so whatever critical data could then be stored in memory only.

  • MikeTMikeT Agile Samurai

    Team Member
    edited January 2018

    Hi @lalomartins,

    We always value your time letting us know this is something you'd want.

    There are some ideas we have regarding the Windows Hello support. We have 1Password in the Microsoft Store right now to provide support for 1Password in Edge. The idea we have is that we could also reuse it as a way to integrate with Windows Hello and use it to authenicate the main desktop app as well. We just need to investigate and do a lot of research to make sure it is safe to do so.

  • Pretty sure you can create a Windows desktop app wrapper component around UWP using the UWP libraries and utilizing a Login Service.

    https://docs.microsoft.com/en-us/windows/uwp/security/microsoft-passport-login-auth-service

    The private key is hardware attested if the device has a Trusted Platform Module (TPM) chip. The private key never leaves the device.

    Thanks look forward to the update.

  • brentybrenty

    Team Member
    edited January 2018

    @dynamiclynk: As Kate mentioned earlier, as it stands, we'd have to give up compatibility with Windows 7 and all browsers besides Edge to have a full 1Password app in the Windows Store, and I don't think that's an acceptable tradeoff. That may change in time...but if everyone switches to Windows 10 and Edge now, maybe that's a solution! ;)

  • Branch your code ;)

  • brentybrenty

    Team Member

    @dynamiclynk: I don't know if you're serious or not. :wink:

  • … but that's pretty much what you're doing with the Edge extension anyway. All seems to be on track 8-)

This discussion has been closed.