Using Windows Hello to unlock 1Password every time
I saw in another thread a suggestion to use Windows Hello even on the first unlock and the dev team's reasoning for not doing so. I get that it would involve storing the master password on the computer, and that's a generally undesirable situation. Without knowing too much about Windows Hello, I imagine that's the case for every password used in Windows Hello, and that those passwords must be stored in some cryptographically-protected storage within the computer. I believe - please correct me if I'm wrong - that the concern is storing the master password anywhere, not just within Windows Hello's password storage. In other words, it's not a slight against or concern with the security of Windows Hello, but rather a general concern.
So what about this? Assuming that it is possible to tell if the password is coming from Windows Hello, as opposed to user-entered, you could have 1Password generate a special Windows Hello-only password that is unique to both the user and the computer. Attempting to use this password to unlock 1Password through any means other than directly through Windows Hello will not succeed. This solves the requirement of not storing the actual master password anywhere. It keeps the Windows Hello password unique. And, again assuming that you can tell it's coming from a Windows Hello unlock request, it cannot be used to unlock 1Password any other way.
1Password Version: 7.4.767
Extension Version: 1Password X 1.19.1
OS Version: Windows 10 1909
Sync Type: Not Provided
Referrer: forum-search:windows hello first unlock
Comments
-
Unfortunately, @PG79, I don't think that would work. You may know some of this stuff already so forgive me if I'm being repetitive, but I don't want to gloss over anything either so I'm erring on the side of too much detail over too little. You see, only your Master Password (or, more accurately, your Master Unlock Key which is derived from a combination of your Master Password and your Secret Key) can unlock 1Password. Unlocking 1Password isn't like signing into a website. When you sign in to most sites, what you're doing is proving that you're you. You provide something the site believes only you have and it says, "Great, thanks, here's you're stuff!" This can be your actual password or it can often be something else you and the site have agreed is equivalent to your password, like a token showing you've signed into an account using SSO.
1Password, on the other hand, is actually incapable of giving you your stuff unless you explicitly give it your Master Password. Your Master Password may be viewed as proving you're you, but it is also the missing piece in the math equation that allows 1Password to decrypt your data and transform it from random blobs to the stuff you see in your 1Password apps. If you give it anything other than your Master Password, the math won't work and 1Password can't unlock. There is simply no getting around storing your Master Unlock Key if we want Hello to work.
With that said, there isn't a genuine objection to storing that key anyway. It's something that needs to be done to make always-on Hello work and we already do this for Touch ID on Mac and iOS as well as temporarily for allowing Windows Hello at all. The issue isn't that we don't want to do that, it's that if we're going to store that Master Unlock Key persistently, rather than only while 1Password is running, we need to be extra sure we're choosing an adequately protected location that will be available regardless of hardware. Windows provides a number of possible options here so the remaining task is to do our due diligence and make sure we're make a solid and secure choice that fits our criteria. So, in short? We'd be thrilled to have this work, but taking that step takes some time so it's a matter of the stars aligning where everyone who needs to give such a location the thumbs up has the time to dig in. The security team, in particular, often has a lot of demands on their time so these sorts of decisions often don't get made quickly and probably universally take longer than our customers would like. But, these things are on our radar and we're continually monitoring for that chance to get it done. I won't say it will happen any time soon – it may not – but you can at least rest assured that there's no fundamental objection to having Hello work out the gate. We just want to be extra sure we're handling it properly and that takes time.
0 -
Thank you for the detailed response! I didn't realize that the master password was part of the crypto protecting the vault(s). That makes a lot of sense with respect to why it's needed vs. any other solution. As a Windows user, I see a lot of value in Windows Hello, and I think sometimes Microsoft gets a bad rap for coming up with solutions (sometimes very good solutions) and subsequently abandoning them. Sometimes this is management's fault, but a lot of times it's because nobody is using them - either due to lack of developer interest, lack of user interest, or sometimes just being a bad implementation.
Without developer interest, I feel like Windows Hello will end up going the way of the dodo (hopefully not), before it ever gets to the point of ubiquity. I totally get that everyone wants to sign off on using it before any commitment is made, and there are a lot of demands being placed on the team that outweigh this. But it does make Windows users feel a little like second class citizens, with our "also-ran" OS-level security solution. :(
Thanks again for the response!
0 -
For whatever it might be worth, @PG79, I read (the headline of) an article the other day mentioning that Chrome was going to allow users to auth with Hello prior to filling payment info saved in Chrome, so it looks like there is some adoption ramping up and potentially some interesting stuff in the wings from Microsoft. I've also felt in the past like the slow adoption of Windows 10 by us stubborn Windows users was part of the reason some of its newer features were largely unused so I've got my fingers crossed that having ended support for Windows 7 will also help ramp things up. Here's hoping!
0 -
I quite don't understand the behavior and feel bugged by 1Password on my Windows PC. I do understand and back your concerns, if there is no hardware for secure storage available.
A lot of computers have a TPM which is "like Secure Enclave". Also you do different things to unlock 1Passowrd on different hardware: on iPhones it is sufficient to use Fingerprint or FaceID, even after rebooting the iPhone, on macOS one can use finger.
Why don't you do it on Windows computers with hardware-backed secure storage and Windows Hello?
0 -
Sorry ag_ana, but I can't figure out, how to citate in a reply, but I will eloborate happily and am glad for the reaction from your side:
Since 1Password requires a fairly long and complex password, which is a good thing, typing it often leads to mistyping or inconvenience. One more thing: typing a clear-text passwords leaves you open to shoulder surfing and the keyboard (USB or Bluetooth) is one of the weakest (in terms of security) input mechanism we have. More convenient and safer at the same time are hardware-backed mechanism to "relace" password input via keyboard combine with biometric factors, as we all know. I think we all agree about these previous sentences and that's a reason why you at agilebits implemented things like Face ID (iOS), Touch ID (iOS, macOS) and Windows Hello as a replacement.
Things to beware of: while Apple uses a Secure Enclave or T2 chip, Windows Hello can be implemented without a TPM hence without a secure hardware to protect secrets.
Naturally, unlocking 1Password without typing a lengthy and error prone password (esp. on an iPhone) we all are glad that we can use Face ID / Touch ID on Apple devices even after restarting 1Password or even the whole device.
My question (and what bugs me) is: why isn't this possible on Windows devices, espacially if Windows Hello is backed by a hardware TPM? For a hardware TPM can protect the road to 1Password far better than a plain password and is equal to a Secure Enclave or T2 chip.
My expectations: I can unlock 1Password after Windows reboots by Windows Hello without entering a password over the keyboard. Thus aligning with Apple devices in relation to convenience.
Thanx again for your time.
0 -
I won't say with total certainty that TPM fits the bill fully, @CarOli, because I honestly don't have the requisite knowledge to make that determination. But, with that said, we have done some digging into how we might utilize it if it so happens to do what we need it to and haven't found a way to limit always-on Hello only to systems with TPM available. So, even under the assumption that TPM does the trick, we've not yet found a tidy way to allow always-on Hello with TPM without allowing it globally.
In general, I am only slightly ahead of a novice on Apple devices so some grains of salt are warranted here, but I do think it's fair to say that Apple's consistency when it comes to hardware makes certain tasks a bit easier. Apple themselves only allow certain features on devices with certain hardware as well, so there tend to be settled methods for developers to do the same. Windows, on the other hand, runs on all sorts of hardware and OEMs vary widely in how they use that hardware. This is actually one reason I love it (I really enjoy building my own PCs) and it has its advantages for consumers who want to save a buck and might need a lot of power in one area but less in another. Still, it presents challenges as well and limiting how software functions based on hardware is definitely one of those challenges.
I get the feeling we've given the impression that we're not at all open to allowing Hello all the time and I'm sure I'm guilty of contributing to that perception. And there may be some truth to that. On iOS, in particular, we run into a lot of folks who have Touch ID fail 3 times and get locked out because they've forgotten their Master Password as a result of never using it. So, I would personally hope we continue to require your Master Password on occasion regardless, just to protect against lockout. But we definitely aren't married to the status quo and absolutely do want to allow y'all to use Hello after a reboot or app restart, at least far more often than is the case now. We've just got some work and research yet to do to make that a reality.
0 -
I am glad to see you investigating this aspect, @bundtkate, and think I have some impression on what it takes to tame the Windows tiger. In the business world it seems a bit easier, for Windows will do all the magic of making sure certain certificates can only be created on hardware security, some even only on special TPMs. But that's for certificates and business. I am sure that you've already looked over those Win32 TBS functions and if they don't fit....well it's might be a tough job.
I agree: it's a lot easier in Apple's eco system. You know what you'll get.Locking yourself out of 1Passwords precious data is a complete disaster. Nobody will risk it just for convenience. So the Master Password should always be a last resort and even an intermediate confirmation that everything's still in limits. Anyway, nobody can help those that forget and can't disclose their Master Password. But that's already warned of and written on your web pages.
Please keep on your good work and let's hope your research will eventually succeed.
Kind regrads.
0 -
Hi @CarOli,
On behalf of Kate you are very welcome!
There is this balance between the security and the convenience that we need to strike. It is not an easy task, but we are always looking at ways to make 1Password better and improve overall 1Password experience.
Please let us know if you have any other questions about 1Password. We are always open to them. :)
Thanks! :+1:
++
Greg0
