TPM For Windows Hello After Restart

With Windows 11 there will be even more Windows machines with TPM on by default. Thanks to the TPM other password managers allow you to use Windows Hello even after restarting the app or the machine itself. Would this be possible for 1Password as well? It would be very similar to how the mobile apps work, there I also don't need my masterpassword after a restart and can use Face ID right away. Thanks to the TPM it should be as safe as with the mobile platforms where you allow this feature.


1Password Version: 8.1.2-22.NIGHTLY
Extension Version: 2.0.5
OS Version: Windows 10
Sync Type: Not Provided

«1

Comments

  • Dayton_ag
    edited March 2022

    Hey there @the_john19! That's a great question!

    Currently we aren't able to support Hello after reboot because there's no secure manner to store encryption keys on the device and store them securely through a reboot of the device. While I can't speak to future plans for 1Password, having a way to securely store these keys on the system persistently through a reboot is a requirement for providing this feature, and our Development team is always on the lookout for secure means to make this happen. We're all excited to see what we can build with 1Password and Windows 11. :smile:

    ref: /dev/core/core/8769

  • the_john19
    the_john19
    Community Member

    @Dayton_ag Thanks for your reply, but that’s exactly what the TPM is for. It’s basically what the security chip on an iPhone or Android does, it provides a secure way to store the encryption keys on the device. Other password managers just check if a devices got one and if so, provides this feature. There are also plenty of well documented APIs by Microsoft to implement this in a very secure manner :)
    With Windows 11 basically all devices need a TPM chip (if they don’t change their mind), so with Win 11 this feature will be used by much more people with different password managers and so it would probably become a feature they expect 1Password to provide as well.

  • Thanks for your reply, but that’s exactly what the TPM is for. It’s basically what the security chip on an iPhone or Android does, it provides a secure way to store the encryption keys on the device.

    Understood! We are quite interested in TPM, and especially in what the combination of Windows 11 and TPM could bring.

    As @Dayton_ag mentioned, we're not in a position to speak to what will be included in future versions of 1Password, but I can say that all of us want to provide something that's convenient, useful to lots of people, and really, really secure. TPM is certainly on our radar, for the reasons you've mentioned. But, "always in motion is the future," to quote a famous philosopher. 😀

  • kop48
    kop48
    Community Member

    Windows Hello basically provides this functionality, but it's important to note that you probably don't want to store raw keys in the TPM without either using a PIN, or using Windows Hello's biometric unlock of the NGC Container that underpins it.

  • Thanks for your feedback! :smile:

  • Hi @the_john19 @kop48, we have an update for you!

    Support for TPM has now made it to our latest Beta, 8.6.0-43. With this, you can now unlock with Windows Hello after restarting 1Password or rebooting your machine. 🥳

    If you'd like to update and give it a try, we'd love to have your impressions of the new feature (and hey, this Beta's got a collapsible sidebar option too)!

    Thanks again for providing the feedback we need to keep making the best app possible. We greatly appreciate it!

  • the_john19
    the_john19
    Community Member

    @PeterG_1P Thank you for the update, it works wonderful! So much more convenient now, thank you a lot!

  • Ryota
    Ryota
    Community Member

    Hmm. This unfortunately doesn´t seem to work for me on a Ryzen 5900X with fTPM enabled.
    The option remains greyed out.

  • MikeT
    edited February 2022

    Hi @Ryota,

    Thanks for writing in to report this!

    We are aware of some incompatibilities with certain TPM chipsets, such as Ryzen's fTPM and VMware's vTPM where the system reports back with no TPM attestation support that we need. What's really odd about these two is that when we compare it with the system tools, they are available but when we go through our APIs, they're not. Also of note, we did see available TPM support with an external TPM chip on top of Ryzen 5xxx series mobo, so it is possible to enable TPM in that setup, just not with Ryzen's fTPM (yet).

    We are working with Microsoft to determine the reasoning behind it or to see if we can improve our support.

    At the moment, there isn't a way around this yet that we can find (beside using the external TPM chip). Hopefully, we'll have better news in time as we continue to gather more information and work with Microsoft on this.

  • Ryota
    Ryota
    Community Member

    Hi @MikeT ,
    many thanks for your detailed answer. I figured there were some issues still with fTPM (and probably especially in combination with Windows 11). Already thinking about adding a dedicated TPM.
    But I´m glad that you´re adding the feature at all and i understand that it´s Beta atm and it still needs some more clarification and probably development.

  • jpalo
    jpalo
    Community Member

    Not working. First it asks for password, after successful pwd, it shows the Windows Hello prompt.

  • Hi @jpalo,

    Thanks for writing in. If you quit 1Password now and restart, does it now show the Windows Hello prompt or for your account password?

    After enabling the TPM support, it does require to lock 1Password and then unlock with the account password first, so we can initialize it with the TPM. It should then work with Windows Hello only from there on, at least until the next Windows update or hardware updates.

  • jpalo
    jpalo
    Community Member

    Will try, only Locked 1pwd, didn't Quit and Restart.

  • Let us know how it goes.

    Also, can you let us know what CPU you're using?

  • Tertius3
    Tertius3
    Community Member
    edited February 2022

    It isn't possible to activate TPM support for me. It's on a Intel i7-6700K. TPM is activated in bios and the TPM actually shows up as "Trusted Platform Module 2.0" in Windows device manager.
    Windows Hello with pin is active and is working fine.

  • Hi @Tertius3, thanks for the details. I see that Mike replied to you in a separate thread, so we'll continue the conversation over there to keep things tidy. 👍

  • gussic
    gussic
    Community Member

    Hi all,

    Just testing this feature out - I have TPM enabled via the Intel software solution in my motherboard (i forget the name...PTT?) and confirm that after restarting the machine the Windows Hello prompt does appear, but it is quite slow - it also doesn't start/become focused unless you manually click on the window / icon in the taskbar. I recall the Windows Hello prompt not being focused on was a bug/issue in earlier builds of 1P8.

    What information do you need from me to help troubleshoot this? Or are you already aware/on top of it?

    1Password: 80600043, on BETA channel
    Windows information:
    Edition Windows 11 Pro
    Version 21H2
    Installed on ‎25/‎10/‎2021
    OS build 22000.527
    Experience Windows Feature Experience Pack 1000.22000.527.0
    Hardware information:
    Processor Intel(R) Core(TM) i9-10900KF CPU @ 3.70GHz 3.70 GHz
    Installed RAM 32.0 GB
    System type 64-bit operating system, x64-based processor
    Motherboard Asus ROG STRIX Z490-E Gaming
    BIOS version 2403

    Let me know if you need anything else.

    Cheers

  • jpalo
    jpalo
    Community Member
    edited February 2022

    Quitting and restarting 1Password doesn't change the behavior. Still it first asks for pwd, then Hello prompt. CPU is "11th Gen Intel(R) Core(TM) i7-1185G7 @ 3.00GHz". I do have a video here of the behavior, but can't add it here unfortunately.

  • gussic
    gussic
    Community Member

    @jpalo Yes I am noticing the same behaviour.

  • FelixSe
    FelixSe
    Community Member

    Same here, Windows Hello always pops up after I had to type my password

  • gussic
    gussic
    Community Member

    Still getting this issue, lack of engagement/comment from 1P staff/devs is a little disappointing :|

  • i5918591
    i5918591
    Community Member

    I have enabled fTPM on my AMD Ryzen 7 3700x ,but I can't check TPM with hello feature...

    version 8.6.0

  • Tertius3
    Tertius3
    Community Member

    It seems TPM is just a label and a generic term for a large variety of hardware security modules of different manufacturing dates with different specifications, most being obsolete and not considered secure enough for anything else than storing Bitlocker drive encryption keys.
    I assume this is one cause for Microsoft requiring only the most recent CPUs for Windows 11, thus the most recent TPMs only. This enables a unified security function set over all Windows 11 machines, like securely storing more than just Bitlocker keys.

    Given the fact that TPMs are being deployed for more than 10 years, this is quite disappointing. The main issue causing this is probably that it is resisted by the people. TPMs are seen as privacy and control being taken away from the computer owner by the media industry (DRM) instead of the TPM being a safe vault for items they want to be stored securely and not being taken away by some attacker.

    My personal view of a TPM in the past was also that it is only a control device for the industry and against my free computer use - this proved wrong and changed only a few years ago after I looked deeper what functionality is actually provided by a TPM.

  • Hi folks! Sorry for the delay in response here.

    We've been working on a couple different things related to this, and we could indeed use specifics of your setups if you're willing to share. This can help us round out our knowledge of where the TPM support is working, where it isn't, and why.

    Here's what you can do to get us the relevant information:

    1. Send us a brief email at support+windows@1Password.com, with a link to this discussion and your username (so that we can match up the relevant info)
    2. Include the name of your CPU, and any TPM details you know about your system offhand

    Once you've gotten in touch with us over there, we'll reply and likely ask you to run a few specific diagnostic commands on your device and share the output of those commands with us. That will give us the specific technical context we need to understand why TPM integration might be working with CPU X, but not CPU Y, and what we can do about it.

    As always, your involvement here is very much appreciated. And while the Enhanced Hello is already off to a ground-breaking start, we're looking forward to improving it with your help too. I'll hope to see you over there! 👋

    @Tertius3 @gussic @FelixSe @jpalo

    Lastly, I'm sorry to say that we're aware of existing incompatibilities with AMD's fTPM, @i5918591, but as Mike noted we're working with Microsoft on this to see what can be done about it.

  • gussic
    gussic
    Community Member

    @PeterG_1P

    Thanks for responding Peter, i've reached out with the information quested and replied with the terminal information that was asked of me. My ticket number is 72966-442 (just in case you want to track it).

  • Thanks @gussic!

    ref: ALL-72966-442

  • Hi folks,

    The next beta update (available now in a nightly update (8.7.0-18)) will now enable support for AMD CPUs as well as virtual TPM.

    Note that if you're still seeing the option being greyed out after this update, there may be a reason for this. Your current Windows Hello key may still be backed by software, not TPM even if you have TPM enabled.

    The reason is that if you've enabled Windows Hello feature long before you enabled TPM in the BIOS or added a TPM chip to your system, Windows does not migrate the Hello key from the software to hardware side. To fix this, try to re-enroll your Windows Hello data by removing the current setup and re-enrolling it; that should be enough to create the new Windows Hello key in the hardware TPM. Which is when 1Password will enable its TPM settings for you.

  • Tertius3
    Tertius3
    Community Member

    As I wrote in the other thread, for me 1Password started to recognize the TPM after I re-enrolled my Windows Hello data.

    So the feature development of TPMs in the last years was not that significant as I thought earlier.

  • KimBje
    KimBje
    Community Member

    @MikeT - As an AMD user I can confirm that upgrading from 8.6 to the newest Nightly update solved the issue with Windows Hello appearing after entering my password manually. I can now log in with Windows Hello as intended. Nice!

  • Excellent news, @KimBje. 🙌 Thank you for letting us know - and we hope you enjoy the feature from here!

This discussion has been closed.