Using Windows Hello (fingerprint authentication) instead of master password everywhere

I am using 1Password with Windows 10 app (beta) and 1Password extension (not 1Password X) from Chrome webstore on Chromium based Microsoft Edge. I would like to have a feature in both this app and extension (or in any other 1Password app/extension for that matter) where for opening the same, need to ask for master password only once (the first time its installed). Any subsequent unlocking can be done using Windows Hello (here I am using fingerprint authentication). I don't want to type the long and complicated master password each time I restart my system. Although I turned off both auto lock options in Windows 10 app it doesn't help. It still asks for master password each time I restart my system. I know this is done for I security reason but there should always be a choice for those who chose to do so. So here is how the requested (optional) feature is expected to work: During the first install of Windows app it should ask for master password, after that, turning on that option should enable the user to just unlock by fingerprint without ever to type in the master password. For security reason the app might ask for the master password at most once a month or so but not anything less than that. I would really love to have this feature.


1Password Version: 7.3.684
Extension Version: 4.7.4.90
OS Version: Windows 10 1903
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Supra: No. The Master Password is needed to decrypt the data, so not requiring it after restarting 1Password and/or the computer would mean storing the Master Password. We have no plans to do that.

    But if you use the 1Password desktop extension with the app, you can use Windows Hello in the browser too:

    Use the 1Password extension to save and fill passwords on your Mac or Windows PC

    You can download it here:

    https://1password.com/downloads/#browsers

    1Password X is designed to work independently, running entirely in the browser. The desktop extension is designed to allow the 1Password app to integrate with the browser. Then you won't have to unlock 1Password in the browser separately.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • StringMon
    StringMon
    Community Member

    I too would like this feature, so I have a couple of followup questions:

    1. The 1Password app for Android can be opened with just my fingerprint. By your explanation, this means that it's storing my Master Password, or it wouldn't be able to decrypt my data.
    2. I used to use LastPass, and its Windows client is able to decrypt data locally with only biometric authentication (it can be configured to always use fingerprint as an alternative to entering the master password after a reboot). Why can't 1Password manage this same functionality?
  • It's not a question of able, @StringMan – we are certainly able to allow you to always unlock with Windows Hello, but like Brenty mentioned we would need to store some secrets persistently to do that. We don't store your Master Password anywhere, actually, but on Android, iOS and Mac, we do store what we call your "Master Unlock Key". This is a key derived from your Master Password and Secret Key that's used to encrypt and unlock your data.

    We could do the same on Windows today for sure, but the important thing is to store it somewhere safe. Android, iOS, and macOS all provide a location that's available across devices where we've done our research and decided storing your key there meets our security standards. Windows has options too and we're looking into them, but we're not comfortable with any one just yet hence the need to use your Master Password any time you restart your 1Password app.

    This is actually something we'd like to do on Windows, but like with anything that hasn't been built and tested yet, we don't want to make any promises when we can't be sure we can deliver on them. As someone constantly having to restart 1Password for Windows for testing purposes, I'd be as thrilled about this feature as anyone – we definitely see value there – but it's long been our philosophy that if we're not convinced we can provide a given feature in a manner that meets our security standards, we'd rather take the flack for skipping it than go with a less secure alternative.

    I'm not implying, nor would I, that others have made insecure choices. I don't know what design choices they made and if I did and we audited that choice, it could easily be one we're perfectly happy with. But, we've got to do that research and investigation for ourselves, so we're working on that now and if we find an option we feel provides the security we expect while still allowing you to unlock more easily, we'll be all for it. :chuffed:

This discussion has been closed.