Better Windows Hello support in 1Password 6 [Planned but no ETA]

Hi @BXIA,

Thanks for writing in.

I'm sorry you're disappointed and I can definitely understand it. We are still trying to scale up our smaller Windows/Android teams to catch up to the much longer established Apple team but it hasn't been a smooth ride.

As for Touch ID, you kind of did nail it on the head, Apple has a polished and integrated setup that makes it extremely easy to add support for it right away, it didn't take us much to add support for it on macOS as we can reuse most of our existing code and our experience from our iOS app. Apple has a mandated secure enclave for Touch ID data along with extensive parameters we can use that makes us feel safer to use it, this is true for the new Macs as well, there's a custom A1 chipset with the secure enclave there that makes it a nicer setup.

As for Windows Hello, we have some questions regarding to its security protecting the derived keys on disk (which is preventing us from really wanting to expand the Hello support) and it is mostly designed for the UWP apps in the Windows Store. We've shifted our focus to the regular desktop program many months ago because it enabled more features that the UWP app isn't capable of at the moment. Such as the browser extension support with 1Password mini, which is far more requested than Windows Hello support and not to mention it runs on Windows 7 and above, which still has a much larger market share than Windows 10.

We do plan to address this but unfortunately, I don't have an ETA that I can share with you at the moment. :(

@BXIA: I hate to split hairs, but the Secure Enclave isn't software; it's a chip on the board, which Touch ID Macs now also have (as part of the mini-iOS-device Touch Bar). And if you can "fake" it with 5$, the world is your oyster. So far the Touch ID "hacks" I've seen have been greatly exaggerated though — and could be applied to various Windows Hello-based biometrics as well. TPM is similar in many ways and has been around for a while (a long while), but not everything supports it. I really like that Microsoft is starting to do something with this though, even if adoption is still disappointing. Hopefully it's just a matter of time before there's a double-digit install base that can use it, and I suspect we can certainly do more with it by then. :)

For systems without a TPM, I'm also worried about how the Windows Hello keys are stored on disk.

@kathampy: We are too. It's not something we'll do unless it can be done securely.

If there is no TPM, you can force the master password to be required when 1Password is initially launched.

Ah, okay. Then you're talking about storing it in memory. That may be a possibility.

But on locking the workstation or just locking 1Password, you should be able to use Windows Hello to unlock it. This way the derived keys would not need to be stored insecurely in Windows without a TPM.

Yeah that makes sense. Wherever we end up storing the "keys", even temporarily, needs to be secure.

I'm specifically looking at the Kensington finger print scanner.

Good to know. If we're able to support Windows Hello, and the scanner you have supports this too, that should do the trick for you. Cheers! :)

@kathampy: The token derived from the Master Password is only stored in the macOS (or iOS) Keychain when using Touch ID, and is secured with a cryptographic representation of your fingerprint, which is stored in hardware separate from the the rest of the system: the secure enclave. Now, we don't want to assume that it is impossible to recover this otherwise, but it's very different than simply storing the Master Password on disk, and much more secure as a result. Without these things in place, we wouldn't feel comfortable making it possible for you to unlock 1Password without entering your Master Password (by storing it in memory or on disk) on Apple devices (and Android), and we need to hold Windows to that same standard when it comes to 1Password's security.

As I indicated earlier, it's something we're looking into. Thanks for sharing your thoughts on this! :)

Hi @kathampy,

That is correct, we also use the kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly flag to ensure it is never transmitted outside of that device. We have a support article on this: https://support.1password.com/touch-id-security-ios/ to explain what else we do.

@humphrey: We don't discuss roadmaps and I can't give you an ETA, but it's something we'd like to support in 1Password on WINdows in the future. We've got a lot of other things to do before then (not least of which UWP, which would be necessary for Windows Hello anyway), but I'm sure we'll share more in the future when we can. :)