Windows SSH Agent without Windows Hello?

BorkforceOneBorkforceOne
Community Member
edited May 3 in SSH

Hi!

I was very excited to try the new SSH tooling built into 1Password 8 Beta for Windows. However, I do not have Windows Hello on my desktop which sounds like a requirement to use the 1Password SSH agent on Windows (see green TIP here https://developer.1password.com/docs/ssh/get-started#step-3-turn-on-the-1password-ssh-agent).

Is there any way around this? Or are there plans for an alternative here? I don't mind entering my master password every time I need to SSH as an alternative. I'd really like to use the SSH agent :)


1Password Version: 8.6.0
Extension Version: Not Provided
OS Version: Windows 11 Pro

Comments

  • floris_1Pfloris_1P

    Team Member

    Yes, it's currently a requirement, but we will be adding support for entering your account password as well in the future.

  • mrbscreenmrbscreen
    Community Member

    The password options is really necessary. My company, for example, does not allow the usage of "Windows Hello".

  • floris_1Pfloris_1P

    Team Member

    It was not an easy decision to make, so we can assure you that this is high on our list.

    Our of curiosity, what's the main reason your company doesn't allow Windows Hello?

  • mrbscreenmrbscreen
    Community Member

    The main reason is legal hostility belonging to the German GPDR (DSGVO).

  • ag_tylerag_tyler

    Team Member
    edited February 24

    @mrbscreen, thanks for giving us additional context there. That definitely helps us prioritize this!

  • Tertius3Tertius3
    Community Member

    My company (worldwide, > 100000 employees) also disabled Windows Hello for reasons unknown to me, at least for the machines located in Germany. Since regular ssh agents ask for the key password once at loading time, then never again, I would like a similar behavior in 1Password as option. Just be able to disable any prompt and just serve the key if it is requested by some ssh client.

    I understand asking for Windows hello unlock is a security measure to make me aware that a ssh key is actually requested, and to detect unexpected requests, but this is not standard behavior of ssh agents.

  • ag_tylerag_tyler

    Team Member

    @Tertius3 Thank you for the additional feedback. We're definitely doing some research here to determine how we might approach this particular scenario going forward. We need to balance security with ease of use but we know this is important to make more seamless for you!

  • sb22hhsb22hh
    Community Member

    Hello, I've seen this conversation and I'm curious what is the status of this request?
    My company dosn't allow Windows Hello because of legal reasons (GPDR)
    Would be great if this request could get the highest priority.

  • chris.db_1pchris.db_1p

    Team Member

    @sb22hh Removing the requirement of Windows Hello is something we're actively working on. Stay tuned!

  • uncaughtuncaught
    Community Member

    I'm wondering whether the use of windows hello is a technical requirement or just convenience for you?

    I mean, could the 1password app not prompt for the use of an SSH key itself? Without asking for a password at all, if the app is already unlocked.

  • MentatMentat
    Community Member

    @chris.db_1p
    Thanks for this good news!
    I just wanted to add that in my organization (including branches in Germany) Windows Hello is also prohibited, but access is allowed using security keys like Yubikey.
    Perhaps this could be an alternative to windows hello too?

  • sitepodmattsitepodmatt
    Community Member
    edited November 22

    It's perplexing to me that you guys feel the need to rank the security requirements of the ssh-agent different (and a whole lot stronger) than a whole vault of passwords, credit card numbers, PPI, API keys and so on.. This goes beyond opinionated to mandated with "New processes always require approval"

    Please re-think some of this governance and give us the option to opt-out (perhaps via a flag or advanced menu) of some these ridiculous requirements (none of this non-sense in keepass-xc ssh-agent) - lets get rid of the "new processes require approval always" mandating first..

    I know it's hard as you reach for the thumb button on your shiny macbook airs at the start of your daily tmux session to consider other people have different workflows and security considerations and security precautions already in place.

  • tomstocktomstock
    Community Member

    My organization also disables Windows Hello. I would love for the ssh keys to seamlessly work on my workstation without Windows Hello

  • Jack.P_1PJack.P_1P

    Team Member

    Hi @tomstock / @sitepodmatt / @Mentat / @uncaught:

    Thanks for your feedback on this. As my colleague Chris mentioned, we're actively working on this, but I don't have anything to share just yet. Keep an eye out.

    Jack

  • GuidomeGuidome
    Community Member

    +1 here, not using Windows Hello as... I am on a desktop... without fingerprint reader... without IR webcam... I do have a PIN however configured with Windows Hello, but it seems this use case is not supported either!

  • Jack.P_1PJack.P_1P

    Team Member

    Hi @Guidome:

    As long as Windows Hello is available (even with just PIN) and configured to unlock 1Password (Settings > Security), you should be able to use your Hello PIN for the 1Password SSH agent. Let me know if that isn't working for you and I can take a closer look.

    Jack

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file