@Spaldo: Oh totally. I may be wrong about it. It definitely isn't the same thing, so it's good you brought it up. But from my understanding it's related to window focus, so as we address those issues it should help with this too. Cheers!
@Spaldo, it is two separate issues, we've already addressed the issue with Windows Hello internally that'll be available in the next big 1Password 7.0 Alpha 2 update but the 1Password mini still has to be unlocked, dismissed and then use the shortcut again to fill. This one involves a little bit more work.
I believe Windows Hello can use the TPM if avaialble to store private keys. In such a hardware configuration, 1Password should be unlockable without typing the master password.
@kathampy: That's a good point, but it's a but more complicated than that. We can't simply store the Master Password there directly, and that isn't available to everyone in the first place. Ultimately anything we do in this area needs to be thoroughly vetted security-wise and tested extensively first before we release something to all of our customers. And as we've seen with a number of recent Intel vulnerabilities (AMT comes to mind), "should" isn't always all it's cracked up to be. Not trying to pick on Intel here, as I appreciate they've got their work cut out for them trying to take an inherently insecure architecture and lock it down. But these are very real concerns to us, both as a company making security software and as users.
Is there any concern with storing the temporary unlock key in memory? I understand that on iOS the secure enclave is used to store this token so it's not accessible to other applications. Is Windows Hello a secure-enough alternative to this or am I better-off turning Windows Hello off entirely?
Thanks for the great question.
It is not a greater risk than keeping 1Password running. If your system is compromised to the point that someone can read your memory, then the game is pretty much over, they can just start intercepting your keys and do other things.
However, the concern is now someone guessing your PIN or whichever biometric system you're using with Hello. At this point, the risk is at guessing your weaker 4-digit PIN and once someone guessed it, every app that uses Windows Hello is compromised but so is your system if you're running an admin account. That's why we always recommend that you do not run an admin account and always lock your screen when you leave your computer. Generally, most biometric systems have compromises, such as if you're sleeping, someone can just come to you and unlock the computer without you knowing. Face ID, with enough money, they can take a photo off Instagram or whichever social network you're using, clone it onto a human mask and could get lucky.
Disabling Windows Hello within 1Password isn't enough to increase security in most situations, you'd be better off disabling Hello globally on your computer if you are concerned about it.
Windows Hello on modern computers store the derived keys using the TPM chips.
Just an update to my original post in late January - I updated to Windows 10 version 1803 and the latest beta for 1P, and unlocking 1P with Windows Hello works now! Very happy about this, no idea if it was windows, 1P, or vacuuming out my keyboard that did the trick.
That's awesome to hear and it is most likely your Windows update that flipped some switches.
Thanks for updating us.
I also wanna thank you guys for Windows Hello Support, as I realy like a easy way of openening my vault.
Hope you ged rid of the secend klick on OK to even have it more smooth.
Great work so far !
Thank you for your kind words! We are working really hard to improve 1Password 7 and I am glad to hear that you like Windows Hello implementation. Windows Hello has its own system limitations, but we will see what we can do in the future.
Let me know if you have any other questions, we will be happy to help. Thank you!