1Password allows Windows Hello to be used when it's not supported
I'm using 1Password on a 2016 MacBook Pro under Bootcamp. As far as I know, there is no TPM in any Apple hardware. My assumption is that a hash of the PIN is stored on disk as a fallback (but I can't find anything to confirm this).
As well, Bootcamp doesn't support Bitlocker or any sort of full-disk encryption. Doesn't that make 1Password (more) vulnerable to an offline attack of the PIN, and therefore the 1Password vault?
If so, 1Password should detect this situation and warn before allowing Windows Hello to be enabled (or disable the integration entirely).
Actually, perhaps that is the bug. I just noticed that Window's Sign-in options says "Windows Hello isn't available on this device", but I can turn it on in 1Password.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @deviantintegral,
Thanks for writing in.
We do not store anything on disk when Windows Hello is used. When you open 1Password for the first time after booting up or terminating 1Password, you will always be asked for your master password.
When you unlock with your master password, 1Password will derive/generate a unique randomized decryption key that will be given to Windows Hello to unlock 1Password while it is running and it is stored in memory only. Once 1Password terminates or you reboot the computer, that key is gone and cannot be reused. Each time you restart 1Password, it'll generate a new key for Hello. There is a vulnerability for using Hello but it requires the ability to compromise the system and read its memory but even in that state, the risk is still there without Hello since you can sniff the process memory to grab what you're typing in or what it decrypts in memory.
Windows is a bit misleading about its Hello support, Microsoft allows the use of Windows Hello API for the PIN support as well. In other words, 1Password is using the same API to detect if Hello is enabled (there is no device specific setting, like ask for fingerprint only) and enables it for you in 1Password. For us, the API is limited to "is this user authenticated?" call and that's it. Once the user is authenticated, Windows give the key to 1Password to unlock itself.
0 -
Thanks for the details @MikeT . It seems like a very short autolock timeout for 1Password + Hello would be more secure in many cases than just a longer 1Password timeout, so I can see the value in keeping it. I appreciate the in-depth explanation!
0 -
@deviantintegral: What's most secure is definitely often dependent on how you use your devices. I personally keep my autolock timer really long on my home desktop, but indeed, I agree that shorter with a quick unlock option like Hello is much better on anything that moves with me. If I had to type my Master Password into my phone constantly, I'd definitely be tempted to extend that timer and combined with my tendency to lose phones, that's a security disaster waiting to happen. We humans and our sometimes poor habits should certainly be part of our threat models. Mike is busy breaking the latest internal changes to 1Password, so he's not around the forum today, but I'll be sure to pass along your thanks. :chuffed:
0
