Using Windows PIN to unlock 1Password?

Hi 1Password,

Just noticed today when opening 1Password on Windows, and browser extension for Firefox:

Windows Security pops up and asks if it really me and asks me to Enter My Pin to unlock 1Password. I don't think this was part of the plan. If I press cancel, it takes me to the Master Password, however, if I enter the Windows PIN, it unlocks 1Password.

Kind Regards,
MakeItSo


1Password Version: 7.4.753
Extension Version: 4.7.5.90
OS Version: Windows 1909
Sync Type: Not Provided

Comments

  • Unlocking with Hello when it's enabled in 1Password and available in Windows is the plan by default now, @MakeItSo. If you have a Hello-compatible web camera or a fingerprint scanner, you can use either of those as well, but since Windows requires a PIN fallback for Hello unlocking, it will always be possible to use PIN as well.

    Now, with that said, there are totally options to configure this. If you want Hello to remain an option for unlocking, but want to tell it when to engage, you can toggle off the option to "Show Windows Hello prompt automatically" in 1Password > Settings > Advanced. If you'd rather use your Master Password always and never unlock with Hello, you can turn off Hello unlocking in 1Password > Settings > Security. You're the captain so just let 1Password know how you'd like to unlock and it will make it so. :chuffed:

  • MakeItSo
    MakeItSo
    Community Member

    Hi @bundtkate
    I'm not using Hello, or a camera, or a fingerprint scanner on my PC. I never set it up, or toggled using Hello (I think it should have notified me that this was a new feature and it was enabled).

    I see it in the settings; and changing it now.

    Thank you for the quick response,
    MakeItSo

  • Hi @MakeItSo,

    Windows allow PIN to be used for Windows Hello as well (it is not limited to biometrics) and if you enabled PIN for your Windows account, it'd be used in 1Password and other apps that integrate support for it.

    The only reason you may see it now is because 1Password 7.4 shows it by default now but it's been available via the Windows Hello button on the lock view since the original 1Password 7.0 release.

  • MakeItSo
    MakeItSo
    Community Member

    Thank you @bundtkate and @MikeT

  • You're welcome!

  • Bloxorz
    Bloxorz
    Community Member

    Thanks for the answers you have provided here.

    I would like to point out that I, and I am sure a lot of others, am very unhappy with this development. I have turned Windows Hello off as an automatic pop-up but why am I not able to turn off this function entirely?

    This seems to completely undermine the security of the master password. Now someone must only know the short pin for the computer to log into my secure passwords? This seems like a huge step backwards and not providing an option to turn it off entirely is not only short sighted but makes the whole product weak and pointless in my opinion.

  • ag_ana
    ag_ana
    1Password Alumni

    @Bloxorz:

    I have turned Windows Hello off as an automatic pop-up but why am I not able to turn off this function entirely?

    From what bundtkate and MikeT wrote in this discussion, this seems to be coming from Windows itself.

    This seems like a huge step backwards and not providing an option to turn it off entirely is not only short sighted but makes the whole product weak and pointless in my opinion.

    If you want to use your Master Password all the time, you can disable Hello, as per the instructions from bundtkate above. Here they are again for your convenience:

    If you'd rather use your Master Password always and never unlock with Hello, you can turn off Hello unlocking in 1Password > Settings > Security.

  • Bloxorz
    Bloxorz
    Community Member
    edited August 2020

    Thank you for pointing out the option in Settings > Security I have now done this.

  • Bloxorz
    Bloxorz
    Community Member
    edited August 2020

    I still think it is stupid that you have included this at all. Yes it my allow you to use bio-metrics if you have them but you could still bypass it if you know the pin.

    And turning this on as default without it being explained or asking for confirmation seems extremely insulting to all of your paying security conscious customers for whom you have just introduced a massive flaw in your product. And don't get me started on all of the people who have set this up for their less tech savvy family members. Very disappointed.

  • ag_ana
    ag_ana
    1Password Alumni

    @Bloxorz:

    Thank you for sharing your feedback with us!

    I still think it is stupid that you have included this at all.

    As I wrote above, my understanding is that this is a Windows setting: when you enable Windows Hello, Windows will ask you to set a PIN. I would recommend sending this feedback to Microsoft as well, if you believe they should never ask for a PIN in the first place.

  • Bloxorz
    Bloxorz
    Community Member

    Perhaps it is Microsofts fault for imposing the need for a pin and not defaulting to 1password's master password instead. However you are a SECURITY company and should never have included something that undermines the security of your product. Especially not as default. Ridiculous.

    It is most definitely on you to refuse Microsoft's integration of Windows Hello until you had confirmed how it would not effect the security of the programme. Instead of risking all of your customers security so you could work with whatever Microsoft sets up and most probably so you could make some money off some deal.

  • plttn
    plttn
    Community Member

    So:
    1. There's no kickback for Agilebits for implementing a native OS security feature, that's just silly. Nor was this somehow imposed by Microsoft
    2. I'm a big believer in the Chrome security model, which can be summarized as "if the attacker can sit at your computer and see your desktop, then there's only so much that can be done". If you're telling people your Hello PIN, then even if you didn't have Windows Hello enabled for 1Password, I could just install a keylogger or do numerous other things to get your master password.
    3. Hello only allows 3-4 incorrect PIN guesses before completely disallowing PIN authentication anywhere for the rest of that boot cycle.

    If no one knows your computer login pin, then stepping away from your computer without locking it is a non-issue since your pin is required to unlock Hello, which shouldn't be able to be bruteforced in 4 tries, and if your computer is locked completely then they're back in the same boat, only 4 tries to bruteforce your pin.

  • ag_ana
    ag_ana
    1Password Alumni

    @Bloxorz:

    I am not sure that removing Windows Hello integration would be the right choice here, especially since there are already settings both in Windows Hello and in 1Password to configure unlocking the way you want to. But we can certainly continue evaluating every feature as we move forward :+1:

    I would also like to use the opportunity to kindly ask you to try and keep the conversation civil. While I understand your frustration, calling us stupid or suggesting that we are getting money from Microsoft for implementing a feature is quite disrespectful, and messages like these don't help create a pleasant environment for the forum community. I would encourage you to read the forum rules. Specifically this section:

    The long and short of it is: be kind. Be respectful of other customers and of the 1Password Team Members that are here to help you.

    Being respectful includes but is not limited to:

    • Keeping discussions on topic, and related to 1Password
    • Not advertising other products or services
    • No name calling or other abusive or disruptive behaviour

    We're here to help, but the use of this support forum is a privilege, not a right.

    Thank you for the collaboration!

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for chiming in on this @plttn! And you are absolutely right in your analysis. Thank you as usual for your support :)

This discussion has been closed.