Windows Hello improvement

TravelSD
TravelSD
Community Member
edited April 2023 in 1Password 7 for Windows

First, let me thank you for Windows Hello support! Couldn't come soon enough. But if possible, I'd like a tweak. As it stands now, it appears you need to click on the Windows Hello icon for it to read my fingerprint. Could the step to click the hello icon be eliminated? Just automatically sense I put my fingerprint on the sensor, or of I had a Windows hello camera, just instantly take my picture? Make it seamless like FaceID on iOS.


1Password Version: 7.0.507
Extension Version: Not Provided
OS Version: Windows 10 x64
Sync Type: Not Provided

«1

Comments

  • Hi @TravelSD,

    Thanks for the suggestions.

    I don't think we can automatically detect if your fingerprint is on the sensor but we can try triggering the Hello dialog when the lock view is focused but there's a reason we don't do this yet. At the moment, we don't have an option to disable the Hello support, thus we're making it optional like this. Once we have an option to disable the Hello support, we can remove the need to click on the icon.

    Not everyone wants this feature and there may be some limitations we haven't found yet where we can't do this securely.

    We'll keep improving the Windows Hello support in future beta updates.

  • @TravelSD while we can trigger Windows Hello when app is locked we chose not to do so yet. It immediately activates camera (if Windows Hello used with camera), which may not be desirable for everyone. We will keep working on improvements though, thanks for your feedback!

  • bthayer23
    bthayer23
    Community Member
    edited January 2018

    I've got a Lenovo X1 Yoga with fingerprint reader and it's not working with 1Password 7. I use it to unlock my computer at login, but nothing happens when I click on the Windows Hello button in 1Password. I've tried clicking with my finger on and off the reader - nothing. There's a green light above my fingerprint reader that turns on at Windows login - no light with 1Password. I don't use the camera for facial recognition. Any ideas?

  • Hi @bthayer23,

    Thanks for writing in. Are you using any Lenovo software to manage your fingerprint scanner? (Note: there's a security issue with their fingerprint software, make sure you're up to date here)

    Can you go to Start, search for Sign-in options and click on it, is Windows Hello enabled here with the fingerprint scanner?

  • bthayer23
    bthayer23
    Community Member

    Mike, thanks for responding. I’m on Windows 10 Pro, so the fingerprint reader is managed by Microsoft. And yes, Windows Hello is enabled with the fingerprint scanner. Lastly, it’s a work machine, but we have a very laissez faire IT dept, so I have full access to GPE settings. Not sure if there’s something in there that may affect Windows Hello login.

  • Hi @bthayer23,

    Can you first update to 1Password 7.0.511 and let me know if it changes anything? If not, can you email us your 1Password diagnostics report. Please use this guide to generate the report and email it to us at support+windows@agilebits.com. Also, in the email, include the link to this thread along with your forum username, so that we can connect the email to this thread.

    Let us know here when you've sent it, so we can confirm we got the email.

  • bthayer23
    bthayer23
    Community Member

    @MikeT Email sent.

  • Hi @bthayer23,

    Thanks, we got the email and have replied to it. It may be related to the use of SGX.

    ref: ZDZ-56454-464

  • kop48
    kop48
    Community Member

    Is there any way for someone like @jpgoldberg to provide a run-down of how Hello secures your master password? :)

  • Hi @kop48,

    Yes, he'll comment as soon as he can, he's currently at a weeklong company conference.

    A short summary is this;

    1. Windows Hello does not replace your master password and you cannot unlock 1Password without your master password. Your master password is not stored to disk (never is, we use a unique encryption key for each device that can only be decrypted by knowing your master password that you give to 1Password)
    2. Hello becomes enabled when you unlock 1Password with the master password first. It will generate a new temporary unlock key to use.
    3. When you click on the Hello button, we sent an API call to Windows to confirm you are who you are, if it says yes, it'd use the temporary key to quickly unlock the app.
    4. Once 1Password is terminated, the temporary key is gone and you'll be required to unlock with your master password again.

    If you've been using 1Password for a long time, you may recall this as the quick unlock feature we had in the iOS version of 1Password before we've replaced it with a better Touch ID implementation that uses the secure enclave.

  • kop48
    kop48
    Community Member

    Thanks @MikeT! That helps get a better idea of the security posture. :)

  • You're welcome!

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Thanks @MikeT for answering the question. I’ve got a weirdly limited network connection, so haven’t been able to respond. Mike’s answer is spot on.

    1Password is not saving your Master Password (or Master Password equivalent). When 1Password exits, the relevant key disappears from memory. So what this means is that when you have Hello enabled and you lock 1Password (but keep the program running), 1Password has in its working memory the ability to unlock itself. UT that capacity is gone as soon as 1Password exits.

    You will need your Master Password every time you launch it.

  • tom223
    tom223
    Community Member

    Hello, really liking the update - especially the Windows Hello support :)

    Minor UX improvement: when you unlock 1PW Mini via Hello, the PIN input dialog isn't focused. It is focused when using the main window. Not sure if this affects other Hello methods (fingerprint etc).

  • Hi @tom223,

    Thanks for your feedback, I'm glad you like it so far.

    Do you notice the same problem in the main 1Password window? For me, the issue is only within 1Password mini and it is a known issue, there's a bit of a "focusing" conflict we're trying to resolve when you unlock Hello inside 1Password mini.

  • tom223
    tom223
    Community Member

    Hi @MikeT,

    Yup, the main window works as expected. Focuses when you click the button or use the shortcut.

  • Hi @tom223,

    Great! That means we know what it is and we're working on it.

  • ninjawa
    ninjawa
    Community Member

    Just an FYI, I'm also on a Lenovo X1 Yoga like @bthayer23 is, and my Windows Hello fingerprint login is working.

  • bthayer23
    bthayer23
    Community Member

    @ninjawa Agree, I think it's an issue specific to my machine. Is your user account on a domain?

  • ninjawa
    ninjawa
    Community Member

    @bthayer23 Yeah, I'm on a domain.

  • MikeT
    edited February 2018

    Thanks for that, @ninjawa, it really helps to have that information. We haven't been able to reproduce it on any of our machines but we do mostly have Surfaces. I guess I can ask my boss for a ThinkPad...

  • Hi @arianelu,

    Thanks for reporting it.

    It's a bug in 1Password 7, it is related to the known issue we've listed in the announcement forum, 1Password mini dismisses too quickly when you trigger Windows Hello and there's no connection to both.

    We're going to change how 1Password mini dismisses itself when Windows Hello is used to fix this.

  • [Deleted User]
    [Deleted User]
    Community Member

    same as @arianelu here. I am providing some information for this issue. I use a Fingerprint sencer, and I need to click the icon twice to see the Windows Hello dialog. Furthermore I need to click on the windows hello dialog for the third time to let the sencer scan my fingerprint. With 1Password app I immediatly see the dialog and can do the scan without any further operations.

    One more information which might be useful, my sencer has a working LED which shows it is "prepared to scan". It lights up at the first click. And continued to light until unlock. So if I used 1password extension on Chrome and ignore it (as it disappeared), and even when I use password to unlock the 1password mini from tray area, the light won't stop blicking.

  • MikeT
    edited February 2018

    Hi @GooEeu,

    Thanks for reporting that. We'll get that fixed. Windows Hello is likely waiting for us to reply but with 1Password mini dismissed after, there's no reply and so you'd see the scanner just waiting.

    This will be fixed once we update 1Password mini to stop dismissing itself when unlocking via Windows Hello.

  • [Deleted User]
    [Deleted User]
    Community Member

    @MikeT, I notice that I am able to use pin to unlock 1Password as well when using windows hello, which makes me worry. Leaking the pin of the windows will also make 1Password unsafe. For example in iOS, I am able to use TouchID to unlock 1Password, apple offers to use the pin to unlock as well because Apple thinks Pin has a higher Priority then Touch ID and is a replacement of Touch ID when authenticate. 1Password on iOS, however disabled this feature. When you entered the pin of iOS device (instead of using Touch ID) you need to enter the Master Password again.

    I would be very glad if this feature can be introduced to windows version as well.

  • Hi @GooEeu,

    Thanks for writing in.

    We do plan to add an option to disable Windows Hello in a future update but it is not a security compromise because if you have Windows Hello enabled, 1Password is still exposed to the same security risks. In other words, disabling Windows Hello within 1Password as a security measure would not really increase the total security of your device, you'd be better off disabling Windows Hello completely. If someone figures out your PIN, they can unlock your system and install malware or other compromising methods to grab your master password. In another words, a compromise of your system compromises all apps including 1Password.

    I would suggest reading my post above as how this all works. Windows Hello does not replace your master password, you must always unlock with your master password first and then Windows Hello can be used as a way to quickly unlock it. Once 1Password is terminated, you cannot unlock with Hello, you still have to unlock with your master password. This is far more restrictive than the iOS version of 1Password.

    Windows Hello allows you to unlock through any biometric system available, you can switch between fingerprint, face, eyes, and so on, PIN is the last resort for when there are no biometric systems available. Here's a screenshot for when you're unlocking with Windows Hello on Surface Pro 4:

    With that in mind, you must always take actions to protect your system on all levels and that means for an example, when traveling aboard, you should disable Windows Hello/TouchID/any biometric systems, avoid use of public internet without VPN, etc.

    For example in iOS, I am able to use TouchID to unlock 1Password, apple offers to use the pin to unlock as well because Apple thinks Pin has a higher Priority then Touch ID and is a replacement of Touch ID when authenticate.

    That's not how it works. Apple uses your passcode (PIN) as the master key for Touch ID to authenticate with, Touch ID does not replace your passcode at all, just as Windows Hello cannot replace your Windows' credentials and you must have a password for your Windows account before you can enable Hello. The same is true for 1Password on all platforms, nothing replaces your master password.

    To explain this with a real life example; if you set the device passcode of 1234, there is no point at all to use Touch ID. All anyone has to do to break the security on your iPhone is fail Touch ID on purpose and unlock with 1234, that's it. Same thing with Windows Hello, FaceID, etc.

    The single most purpose of this is that you don't have to unlock with a much stronger passcode a dozen time per day, you just unlock with biometric system. If you are concerned with security, don't use them because they all have compromises. If you don't live alone, all they have to do to unlock is wait until you sleep and bring your device to unlock with Touch ID. That's one way why FaceID can be secure in a way because it can made to require eye attention but it has its limitations.

    1Password on iOS, however disabled this feature. When you entered the pin of iOS device (instead of using Touch ID) you need to enter the Master Password again.

    We offer it as an option, yes and we will add this to the Windows app. Unlike on iOS, however, due to its locked-down system, it has a much larger security impact. It is not that easy to compromise an iOS device compared to Windows, since you can't install any random app and it would see the running 1Password processes and its data folder whereas you can on Windows. That isn't to say that iOS is perfect, like a jailbreak would mean the entire device is compromised regardless of what you do.

  • Spaldo
    Spaldo
    Community Member

    I may have missed someone posting it, however, I have noticed when using 1Pass 7.0.519 & the auto fill function in the browser (with keyboard shortcut) that it will allow me to use Windows hello unlock (via PIN), however, does not fill in the login. I have to do it a second time to fill in the login.

    Hopefully this makes sense, if not, I can post again ;)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Spaldo: Indeed, I believe that is involved in the window focus issue Mike mentioned above. We've definitely got some work to do to make things smoother, and the feedback on things like this is greatly appreciated, since it helps us know what to prioritize. Thanks for participating in the alpha! :)

  • Spaldo
    Spaldo
    Community Member

    No worries, I wasn't sure if it was the same thing or not...

This discussion has been closed.