TPM For Windows Hello After Restart

With Windows 11 there will be even more Windows machines with TPM on by default. Thanks to the TPM other password managers allow you to use Windows Hello even after restarting the app or the machine itself. Would this be possible for 1Password as well? It would be very similar to how the mobile apps work, there I also don't need my masterpassword after a restart and can use Face ID right away. Thanks to the TPM it should be as safe as with the mobile platforms where you allow this feature.


1Password Version: 8.1.2-22.NIGHTLY
Extension Version: 2.0.5
OS Version: Windows 10
Sync Type: Not Provided

Comments

  • Dayton_agDayton_ag

    Team Member

    Hey there @the_john19! That's a great question!

    Currently we aren't able to support Hello after reboot because there's no secure manner to store encryption keys on the device and store them securely through a reboot of the device. While I can't speak to future plans for 1Password, having a way to securely store these keys on the system persistently through a reboot is a requirement for providing this feature, and our Development team is always on the lookout for secure means to make this happen. We're all excited to see what we can build with 1Password and Windows 11. :smile:

    ref: /dev/core/core/#8769

  • @Dayton_ag Thanks for your reply, but that’s exactly what the TPM is for. It’s basically what the security chip on an iPhone or Android does, it provides a secure way to store the encryption keys on the device. Other password managers just check if a devices got one and if so, provides this feature. There are also plenty of well documented APIs by Microsoft to implement this in a very secure manner :)
    With Windows 11 basically all devices need a TPM chip (if they don’t change their mind), so with Win 11 this feature will be used by much more people with different password managers and so it would probably become a feature they expect 1Password to provide as well.

  • PeterG_1PPeterG_1P

    Team Member

    Thanks for your reply, but that’s exactly what the TPM is for. It’s basically what the security chip on an iPhone or Android does, it provides a secure way to store the encryption keys on the device.

    Understood! We are quite interested in TPM, and especially in what the combination of Windows 11 and TPM could bring.

    As @Dayton_ag mentioned, we're not in a position to speak to what will be included in future versions of 1Password, but I can say that all of us want to provide something that's convenient, useful to lots of people, and really, really secure. TPM is certainly on our radar, for the reasons you've mentioned. But, "always in motion is the future," to quote a famous philosopher. 😀

  • kop48kop48 Junior Member

    Windows Hello basically provides this functionality, but it's important to note that you probably don't want to store raw keys in the TPM without either using a PIN, or using Windows Hello's biometric unlock of the NGC Container that underpins it.

  • Dayton_agDayton_ag

    Team Member

    Thanks for your feedback! :smile:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file