1Password8/Windows and Windows Hello on first signin?

2»

Comments

  • krtickak
    krtickak
    Community Member

    I found another person having this issue on reddit so I'm linking here their post if support want's to reach out to them for more diagnostic data. https://www.reddit.com/r/1Password/comments/tfu103/use_the_trusted_platform_module_with_windows/

  • baldersz
    baldersz
    Community Member

    hey @krtickak thanks for sharing this here, I was able to get it resolved and I updated my reddit post with the solution. The tl;dr is that I had initially set up Windows Hello without my TPM enabled, and that meant the private key was stored in software key storage within Windows.

    After enabling the TPM, I then had to delete this private key using certutil , log-off and re-enable Windows Hello. After doing this, I confirmed this the private key was now stored in the TPM as indicated by NgcKeyImplType: 1 (0x1). I was then able to enable this option in 1Password and confirm it worked correctly.

    Hope this helps anyone else experiencing this behaviour!

  • krtickak
    krtickak
    Community Member

    @baldersz awesome this worked like a charm. Now it would be awesome if 1Password directly said that those private keys are not stored in TPM and that Windows Hello needs to be reset so it can store private keys in TPM. @PeterG_1P @ag_ana @MikeT @Nhat_Nguyen

  • BSi
    BSi
    Community Member

    @baldersz very well done, cleaning up the Windows Hello setup resolved the issue for me too. Thanks!

  • baldersz
    baldersz
    Community Member
    edited March 2022

    @krtickak and @BSi glad it helped!

    Edit: Can confirm that 1Password is using the TPM by running:

    certutil -csp "Microsoft Passport Key Storage Provider" -key -v | Select-String -Pattern "Name:", "NgcKeyImplType"

    Output will show an RSA signed key 1Password-Enclave-Key stored in the TPM (via NgcKeyImplType: 1 (0x1))

  • krtickak
    krtickak
    Community Member
    edited March 2022

    I think I know what caused this issue and that is that I enabled Windows Hello after I bought fingerprint reader for my desktop computer and TPM was disabled at time of registering windows hello. So windows stored windows hello private keys in software. Than I enabled fTPM in preparation for Windows 11 which I later changed to dTPM because of stuttering bug in AMDs implementation of fTPM.

  • Jack.P_1P
    Jack.P_1P

    Hey @krtickak / @baldersz / @BSi:

    Glad to hear we were able to get you up and running, and thanks for sharing the steps!

    Jack

  • baldersz
    baldersz
    Community Member

    @krtickak you're exactly right. Windows Hello can operate without a TPM, and will store it's private key in Software Key Storage within Windows if it cannot detect a TPM. Enabling fTPM or installing a hardware TPM (like I did too) doesn't automatically transfer this private key to the TPM. Glad we got it sorted!

  • MikeT
    MikeT

    Hi folks,

    As we continue to work with you awesome folks here and collecting more data, we were able to find a solution that works better with more TPM chipsets.

    The next nightly (80700018, now available) and beta updates is going to have a major improvement with Windows Hello support where we can now work with AMD fTPM as well as vTPM in VMware Workstation on Windows and Parallels on Mac solutions (other virtual machine software may also work but we've tested these two).

    @baldersz, that's a great find and thanks for sharing it with us, we will probably include it as a troubleshooting method. We are trying to investigate everything we can find (we don't have a lot of docs and APIs to work with here) and that's a part of the conversation we're trying to have with Microsoft to find a solution where we can get the best of everything. We're getting there for sure, the current nightly builds have a lot of Windows Hello improvements already.

  • pbryanw
    pbryanw
    Community Member
    edited March 2022

    Hi, In my case, I upgraded to Windows 11, and enabled TPM, after I'd setup a PIN for Windows Hello in my previous Windows 10 installation. So, I was also experiencing the private key issue that @baldersz first discovered.

    Thanks to them, I was able to run:
    certutil -DeleteHelloContainer
    logoff

    In Windows Terminal. This deleted my current Windows Hello configuration, and meant I had to re-enter my Window's password on next login. From here, I was able to setup my PIN again, and this time my 1Password-Enclave-Key (stored in the TPM), returned a code of NgcKeyImplType: 1 (0x1). I could then enable the TPM security option in 1Password.

    I would suggest though, that anyone else who has this issue waits for official documentation from 1Password, before proceeding with troubleshooting.

  • MikeT
    MikeT
    edited March 2022

    I would suggest that anyone else who has this issue, waits for official documentation from 1Password, before proceeding with troubleshooting.

    Correct, there is no need to do the command line as the same can be accomplished by turning off the biometric or PIN feature in the Windows Setting's Accounts > Sign-in options and re-enrolling the biometric or PIN; it'll go into the TPM's hardware store. This is assuming Windows has confirmed there is TPM enabled (click Start, search for Security Processor).

    We will be adding some docs on this once this is working for folks in the way we expect it to work.

  • Tertius3
    Tertius3
    Community Member
    edited March 2022

    Cool, with this information I was able to determine with certutil my Windows Hello PIN was software-based, not TPM-based. It seems I created the pin a long time ago where the TPM wasn't enabled in BIOS.

    I removed the PIN and re-ecreated it, now certutil shows the PIN is hardware-based and I was able to enable TPM support in 1Password.
    If 1Password is started, I have to enter now only the PIN, not the full master password.

    Thanks!

    ps. by the way, just changing the PIN didn't move it from software-based to hardware-based according to certutil. Since the option to remove the pin was greyed out in Windows settings, I used certutil -DeleteHelloContainer to forcibly remove the pin. I logged off, then back on and then I enrolled a new PIN. Now it was finally hardware-based.

  • pbryanw
    pbryanw
    Community Member
    edited March 2022

    This was also an issue for me - I couldn't remove my PIN code in Windows settings.

    I've since discovered that you have to disable the "For improved security, only allow Windows Hello sign-in..." checkmark in Accounts -> Sign-in options, before you can remove your PIN. More info here:
    https://www.thewindowsclub.com/windows-hello-pin-remove-button-greyed-out

  • baldersz
    baldersz
    Community Member
    edited March 2022

    @Tertius3 glad it worked for you too, disabling / enabling Windows Hello should have the same effect as @MikeT mentioned. Although in your case it was greyed out, so you had no choice but to force delete!

  • PeterG_1P
    PeterG_1P

    Thanks for the updates, folks. We appreciate you keeping us apprised of how this is working for you!

  • cubanx
    cubanx
    Community Member

    As I posted on the Reddit thread as well, thanks to baldersz, this fixed the greyed out checkbox and got Windows Hello working with 1Password again in general.

    Thanks 1Password and baldersz!

  • MikeT
    MikeT

    That's great to hear, thanks for letting us know.

    We've just shipped 1Password 8.6.1 stable update to everyone with more Windows Hello improvements including extending TPM support to AMD's fTPM and vTPM in certain virtualization solutions.

This discussion has been closed.