Please allow the use of Windows Hello on first launch

Cartman
Cartman
Community Member
edited May 2018 in 1Password 7 for Windows

I was initially really excited about Windows Hello support but now see that I will never benefit from this feature. I am still required to enter a master password after a boot up or restart. This makes Windows Hello support ultimately useless as I do not have 1Password set to auto lock throughout the day. I have Windows is set up to handle that. Repeatedly unlocking both Windows AND 1Password multiple times a day is not feasible (for me at least...and I would imagine most people).

My daily activity is going to the office/home and turning on the computer. Windows Hello immediately and beautifully logs me into Windows. Windows Hello is amazing how well it works to log me into Windows. It still blows me away after over a year of using it daily and is a delightful way to start my day. I then have to launch and enter the master password into 1Password. At this point my delight is diminished and I start to wonder why I am still having to manually type in a password. The pain is exaggerated by the delight I just experienced moments ago. I have Windows set to auto lock or I manually lock it when I am away from the computer (Windows Key+L or the lock key on the Surface ergonomic keyboard).

Since I am still required to enter the master password on first launch and have 1Password set to never auto lock (again, Windows handles this) I would never benefit from having Windows Hello support in 1Password.

Please make it so you can use Windows Hello on first launch. Does the Mac version support Touch ID on first launch? Maybe you can rename 1Password to 0Password in the future? ;)


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @Cartman,

    Thanks for writing in.

    As much as we want to do this, this won't happen for a long while. Windows Hello is nothing like Touch ID where we know that every Touch ID sensor is securely connected to an secure enclave but Windows Hello doesn't have that for all computers. We need to verifiably trust that Windows can store the decryption key in a secure chip and right now, we haven't completed our research on this. Once we do more research and talk to Microsoft, we can add support for this. For now, your master password will always be required if 1Password is terminated or you do a reboot.

  • brettg
    brettg
    Community Member
    edited June 2018

    Hi @MikeT, Let me know if you have found the right teams at Microsoft to talk to. I'm not an MS employee, but have contacts.

    Windows Hello (Pin, Fingerprint and Face Recognition) data is stored / processed by the TPM chip onboard of Hello supported Windows 10 PCs. Effectively the same as a "secure enclave."

    Here are some links to assist.
    https://docs.microsoft.com/en-au/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password
    https://docs.microsoft.com/en-au/windows-hardware/design/device-experiences/windows-hello-face-authentication

    Not sure if he's still there, but this guy might be a good place to start at MS.
    https://mva.microsoft.com/en-US/training-courses/introduction-to-windows-hello-15936?l=eH7yoY2BC_9106218949
    There's a comprehensive PPT there to review as well.

    So while your perception is that "Windows Hello is nothing like Touch ID," with a little research I'd argue that Apple's Touch ID is pretty much a carbon copy of the Intel / Microsoft infrastructure. Admittedly there are multiple 3rd party hardware providers in the loop, not just one or two but the outcome is the same.

    I hope you can address this too as I had also hoped that your support for Hello would be a great way to step into the 1password world. The way you are supporting Hello is a good first step, however now that I have to make my entry password weaker the benefits of investing in the platform are waning.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @brettg: Thanks for chiming in! Windows Hello is very different from Touch ID for the very reasons you outlined though: there's no integration, and there are many different vendors and hardware setups involved. Windows Hello is awesome, but the tools available to developers haven't been around as long and haven't matured to the level of what's available with Touch ID. I'm sure that will change in time though, and then it may become more feasible to do something like this. Personally, I'd love to not have to go through the prompt. Being able to have the user choose to store the secret on a long-term basis would be cool too, but as Mike mentioned that's not even something that's available to most people. So for the time being at least, there are things we can work on that will do more good for a greater number of people, especially while Microsoft and hardware vendors make it easier to use and available to more people. Cheers! :)

  • brettg
    brettg
    Community Member

    Well I don't believe that your statement, "there's no integration" is correct sorry @brenty. Perhaps this is just semantics on my part. According to the links above and the background info that I have, all Windows Hello hardware (IR/camera modules and Fingerprint Readers) is built to a spec, certified and digitally signed directly by Microsoft in order to even be able to access the Windows Hello system.

    So although there are potentially many hardware providers, they've all been 1st party signed to meet the spec. That is in fact a high level of integration. You've got a software system that integrates with hardware that is certified to meet a highly specified and secure standard.

    If you meant "integration" to mean that Apple owns the whole stack (hardware and software), you'd still be wrong because they don't. The difference is that you know a lot less about who actually manufactures the tech you're relying on than you do here.

    In the meantime, I'll keep an eye out for the feature down the track... I'll hold out hope that you can take this to the next level sooner rather than later.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I think there are a lot of semantics involved. If I concede your definition of "integration", there's still a matter of the tools Microsoft offers to use Windows Hello. For example, we're stuck with users having to manually invoke the Windows Hello prompt, and then interact with it again to confirm after biometric auth is completed. That is to say, there are some very significant differences between the two implementations of what is otherwise a very similar feature, and a lot of that comes down to "integration" in the sense that I meant it. Even if we can't agree on that, I think we can agree that it would be nice for it to be as seamless an experience on Windows as it is on iOS. If we can do that securely and reliably, I have no doubt we will in the future. :)

  • josundt
    josundt
    Community Member

    From Windows 10 version 1903, Windows Hello is FIDO2 certified, and Microsoft starts to support passwordless login for Microsoft Accounts. Windows Hello also supports passwordless web browser authentication using FIDO2/WebAuthn.

    At this point I would assume that the security built into Windows Hello should be good enough for the 1Password application.

    Ref:
    https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Hello-FIDO2-certification-gets-you-closer-to/ba-p/534592
    https://www.microsoft.com/en-us/microsoft-365/blog/2018/11/20/sign-in-to-your-microsoft-account-without-a-password-using-windows-hello-or-a-security-key/

    Maybe its time to have a look into this again?

  • AGAlumB
    AGAlumB
    1Password Alumni

    As I'm sure you can appreciate, we don't make assumptions when it comes to security. It's something we'll continue to explore, but the main challenge is that there isn't a reliable way for us to persistently store a secret derived from the user's Master Password securely, which would be necessary to avoid it needing to be entered the first time after 1Password has not been running.

  • zootooz
    zootooz
    Community Member

    I think it's worth considering unintended consequences here. We want everyone to have a highly secure master password, but the inconvenience of having to enter it so frequently is likely to lead to folks opting for a less secure master password – one that's easier to type in. I must admit my own frustration has tempted me more than once to create a brainless text-expander workaround. Why not make it opt-in and you can display a warning message so the user understands that there is a risk?

  • I don't want to paint anyone with broad strokes, @zootooz, as I'm sure there are folks who are very conscientious about reading these sorts of warnings, but I'd wager that as many (if not more) would simply click through without giving it a glance. What's more, there are those who I'm sure would be reasonably put off by our even offering an option we don't believe to be secure. It's tough to design something for a broad audience. You reasonably want to be able to accept some risk because you understand what that risk would be. Meanwhile, others rely on 1Password not to allow them to make insecure choices in the first place. A security message may help, but only if everyone reads it and only if it properly conveys the risk you're taking on by enabling such a setting. We have no way to guarantee that understanding and allowing folks to disable what we view as security feature without that understanding feels like we're not doing our jobs to keep everyone's 1Password data safe.

    There is a risk that having to enter your Master Password more often will encourage weaker Master Password and it's one we do keep in mind when designing 1Password generally. In fact, we've designed 1Password.com accounts around the assumption that people will use weak Master Passwords at times. Unlike Hello unlocking when you first start 1Password, however, we can't prevent folks from doing this entirely. We could perhaps introduce more rules for your Master Password, but that would go against our own advice about what makes for a good Master Password (and that of independent experts as well) and comes with risks of its own like unmemorable passwords that lead to lockout. That's why we introduced the Secret Key along with 1Password.com accounts. A strong Master Password is still absolutely important, but your Secret Key ensures that at least your data on our servers is protected by more than just your Master Password.

    It's ultimately a balancing act across the board. While security decisions don't always have to come with trade-offs, the reality is that they often do all the same, at least at the start. In this case, we're currently trading a chunk of convenience for those who want to take this risk for the assurance that those who don't want to won't do so by accident. I'm sure there will be different views on whether or not this is the proper choice, but the good news is this choice was not made to be a permanent decision. We want to allow Hello unlocking always. If this can be implemented securely, it's a win for all involved and we are continuing to investigate options to do so.

  • zootooz
    zootooz
    Community Member

    OK - thanks for the thoughtful response. I appreciate that.

  • Greg
    Greg
    1Password Alumni

    @zootooz: On behalf of Kate you are very welcome! :)

    Feel free to reach out to us anytime, we are always happy to answer your questions about 1Password.

    Cheers,
    Greg

  • oncle_l
    oncle_l
    Community Member

    If you want this feature, you have to change to dashlane
    ;)

  • Greg
    Greg
    1Password Alumni

    @oncle_l: While we respect our competition, let's focus on 1Password discussion here, as this is 1Password support forum. You can check the rules of this forum here. Thank you! :+1:

    ++
    Greg

  • With passwords I'd totally agree with you, @Naxterra. I mean, our tagline is "Go ahead. Forget your passwords." so I supposed I'd better, right? But your Master Password is a bit of a special case. It's not the same as your typical passwords. Those are used for authentication – proving you are who you say you are and should have access to a thing. Your Master Password is an encryption key. I suppose it technically still does prove you're you (or at least that you have access to the secret we've agreed means you're you), but more importantly it gives 1Password the data it needs to do some math and unlock your vault. No matter whether you use Windows Hello or a security key, your Master Password is still required and used. It can't be replaced in the same way an authentication password can. That exact input is needed to do the math, so that Master Password (or, more accurately, the master unlock key generated from your Master Password) is stored somewhere and necessary to decrypt your data no matter the physical mechanism by which you unlock your vault.

    Now, obviously, storing that Master Password or your master unlock key somewhere and using other user-facing methods to unlock is totally possible and it doesn't rightly matter to y'all what happens under the hood per se. We do want to reach a point where we're confident that a given implementation of always-on Hello will be a reality. But, absent a 100% foolproof and totally reliable method of alternative unlocking, I would never be comfortable telling anyone to forget their Master Password. So, allow unlocking with Hello always? Yes, certainly, when we've done our due diligence and are confident we can implement this in a manner that meets our security standards. But, please. Don't forget your Master Password. Little in this world is fool-proof and you just don't know when you're going to need it. 🙏

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2019

    It is not about forgetting Master Password, it is about securing it. For my end, I have 15 character Master Password. Yes, it is secure but as a security measure I have to change it regularly. Going passwordless means I should use a security token like Yubikey or authenticator token or even biometric authentication instead of writing long passwords.

    @Naxterra: Changing a password which is not weak, reused, or compromised is not a security measure; it's unnecessary work that encourages you to use a weaker one that you would otherwise, and/or forget it more easily, given that you need to learn a new one each time.

    No one in the security industry is recommending that anymore, and most actively recommend against doing so.

    I don't want to give names but even Microsoft is doing it, why can't you? When accessing my account I open my mobile authenticator, give the correct number which is shown on the screen, then authenticate via Face ID, then process is complete. In my corporate account it is similar, except I only authenticate only via my mobile authenticator. I am talking about a company with more than 210k employees in global. They even made it possible to login to computer via one Yubikey. (which was my main reason to buy one personally)

    You're confusing encryption and authentication. 1Password's security is based on encryption. Signing into a Microsoft account is authentication. Yubikeys can be used as a second factor with 1Password membership accounts in many cases, and we'll continue to build on that; but authentication is not going to replace encryption like you seem to be suggesting with your "account" comparison. The fact that you keep saying "authenticate" instead of "decrypt" is accurate, because that's all that's happening.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Not sure why you think that, but large corps are enforcing complex passwords and regular changes. At least every three months or six months. That is what I see in my current clients.

    @Naxterra: "Large corps" are also getting breached left and right. I'd suggest taking "security" guidance from somewhere else. NIST and folks who help companies get their act together after they have a major security incident due to negligence or poor choices would be a good place to start. :)

    Another example, even I thought my 14 digit password was secure (it includes symbols, numbers, small and capital letters) then one day I saw on a forum along with my email. Some people provided a dump of accounts with passwords for Spotify. I am pretty sure my computer and network are secure so how can they get that password?

    I don't have any way of knowing that, but here are some reasonable theories.

    Also, purely anecdotal, but in my research and experience there seem to be financial incentives at play making it worthwhile for attackers to target Spotify users. The Netflix thing still baffles me though.

    Back to original topic. What do you suggest for master password? Maybe it seems practical to you to enter it once in Windows, then let Windows Hello handle rest of unlocks but it is pretty annoying when using 1Password X. Another idea, is it possible to integrate with a mobile authenticator? For example if I want to unlock 1Password, it sends a request to my mobile device, to a authenticator app, doesn't matter which one, I use Face ID or some other biometric authentication to approve that request, and 1Password unlocks. As for master password, it would be required only on first time installs.

    Those are all things we can continue to evaluate, but all but one have some big problems, as it fundamentally goes back to the Master Password needing to be stored somewhere, and in cases where we don't have a secure way of doing that (i.e. devices which don't have something like Apple's T2 chip and/or Secure Enclave) it's a no-go for us. We need to put security first with 1Password, otherwise there's no point in you or any of us using it. And saving the Master Password to disk is not secure. A lot of people come back with "so encrypt it", but then you need to a different password to decrypt that, so we're just kicking the same problem down the road a few yards. We could obfuscate it, but that provides no actual security, and it could be de-obfuscated by an attacker. So, right now, the 1Password app keeps a form of the Master Password in protected memory while running in the OS, and so does 1Password X while running in the browser.

    The one thing that's viable currently that would help in your example -- keeping 1Password X unlocked in the browser by having the 1Password app unlocked, even when the browser is closed -- is integration between the desktop app and 1Password X. We're working on that currently in 1Password for Mac + 1Password X "desktop app integration" betas, and once we've got it working well we will bring that to Windows too. It's not small task though, so I don't know when all of the kinks will be ironed out with that. In the mean time, the 1Password desktop app + companion extension combo already allows 1Password for Windows to handle lock/unlock across the app and all browsers so you to use Windows Hello for more convenience after you've unlocked using your Master Password.

    As far as the Master Password itself, the thing that will help you most is using one that is long, strong, and unique and sticking with it unless there's actually some reason it needs to be changed. That allows you to memorize it and get better at typing it when you need to over time, instead of having to do a "reset" of your brain and fingers periodically. That allows you to use a better one that perhaps you could otherwise. :)

    How to choose a good Master Password

  • williakz
    williakz
    Community Member

    Great info, thanks @brenty (other than the snarky Google dead-end). I like that you guys bite the authentication/encryption bullet right up front with the Master Password.

  • laugher
    laugher
    Community Member

    For what its worth, one of the Windows PC we have here is working with Windows Hello with a simplified PIN as the authentication mechanism. It accepts an YubiKey authentication as well (without a challenge) and I can assure you, the machine is over 10 years old and does not have a TPM chip installed.

    It doesn't make me get the warm and fuzzies when I see a PC that can be used with a simple 4 digit passcode but that's the sacrifice and risks we have agreed to accept because the lady doesn't want to overcomplicate things with a complex password.

    It also puts into question the foundations (and the shortcuts) that Windows Hello is willing to accept.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I think that the main goal of Windows Hello is to avoid people having to type their password each time they want to use their PC, so there are certainly ways to use it insecurely (just as with Touch ID with a weak PIN to bypass it). But for folks who do want to increase their security, a strong alphanumeric passcode can be used, and perhaps there will be a way for users to disable the PIN/passcode option entirely going forward. Cheers! :)

This discussion has been closed.