Is it possible to setup Windows Hello with a fingerprint enabled security key but without a PIN?

N_Z_L
N_Z_L
Community Member

Hi, I see in the knowledge base this section about Windows Hello and the PIN:

https://support.1password.com/windows-hello-security/

Use a strong, alphanumeric PIN when you set up Windows Hello. It’s always possible to use your Windows Hello PIN to unlock 1Password, so make sure your PIN is strong and memorable. Consider using the 1Password password generator to generate it.

Does anyone have an idea why?

I mean... The whole point of a fingerprint enabled security key is to go passwordless. I'd like it to be mandatory: if one cannot provide the fingerprint, I don't want them to unlock 1password. But Hello allows someone to avoid the fingerprint and just type the PIN! It's like making the whole bio security optional... I don't understand why. And because the PIN is mandatory, I cannot setup the security key without one.

So in order to follow the recommandation here, which is very logical given the process (even if I don't understand at all the reason behind it...).

I don't want someone to access too easily my 1password vault with only a PIN. In fact, I don't want a PIN to remember at all. Because if I setup one (and I'm forced to), I'll have to remember it and provide it sometimes when asked by Hello. I don't want that. It becomes yet another impractical password, nullifying the very idea of using a fingerprint and forgeting about stupid random complicated passwords generated for me :'(


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Goldfinger
    Goldfinger
    Community Member

    The purpose of the PIN, AFAIK is the fallback option, but also I do recall that the pin is used to encrypt the biometric data.
    The PIN is tied to the hardware too, so it is not a password per sé

    Getting to passwordless is going to be a journey.
    It's relevant that hello was created before TPM 2.0 was required for a Windows install. As it is in win 11.

    Did you find anything different?

  • Hi @N_Z_L, thank you for this question!

    Per @Goldfinger's post, this has to do with how Windows Hello is designed. Microsoft's docs indicate:

    Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.

    If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello.

    From our position at 1Password, what we can provide is an "integration" with Hello - in other words, we can provide a way to interface with Hello and use it to extend the capabilities of 1Password, but we can't fundamentally alter how Hello works (or perhaps more specifically, what it requires to work).

    Ultimately, if you're uncomfortable with using a PIN to unlock 1Password on that device, I'd recommend sticking to the classic combination of account password and Secret Key.

    For what it's worth, we are always thinking about how to make sign-in to 1Password more easy while keeping things secure, so we appreciate your feedback on this and the points you've raised here. Thanks for taking the time to do so.

  • crkinard
    crkinard
    Community Member

    Windows Hello asking for and requiring a PIN is Windows demanding it. Not 1Password.

  • Thanks for your comment here, @crkinard. That's correct, 1Password does hand off the duties of unlocking to the Windows Hello/Windows Security.

This discussion has been closed.