The Windows Hello experience is garbage, with or without TPM. Please just let me keep 1P unlocked.

Dunecat
Dunecat
Community Member
edited June 2022 in Windows

First of all, love 1P, there's a reason I pay for the product, but this is driving me nuts. What's on offer for Windows Hello support in 1Password 8 is, frankly, garbage.

I'd like to start with describing the unlock flow for Windows, if you use Hello:
1. PC boots
2. Windows activates the IR camera and starts looking for you, or prompts you to touch the fingerprint sensor
3. Windows automatically unlocks once it recognizes you. Nice!

That's what I call a good user experience.

On the contrary, even if you use Windows Hello & the TPM with 1Password, then here's the 1Password unlock flow:
1. Steps 1-3 above (because you need to get into Windows to start!)
2. Launch 1P
3. 1P calls the Hello API
4. The Hello prompt appears and asks for your biometrics, at which point it might randomly decide to use a different biometric, like a fingerprint instead of your face, or vice-verse
5. Once it's prompting for the correct biometric, THEN you can complete the Hello prompt
6. Once it's confirmed the expected biometrics, then you have to click 'OK' to confirm
7. THEN 1Password finally unlocks.

And that's presuming that 1P successfully completed the TPM read and didn't randomly decide that "Windows Hello was reset" (big yikes).

Honestly, all this is a waste of time. Just let me leave the vault unlocked for my Windows user, so when Windows unlocks, my vault is already unlocked, even after a reboot.

This requirement to unlock every time the app starts is no more than security theatre--if you set the vault to not auto-lock, then you can sleep or hibernate the PC and when it wakes, 1P will still be unlocked. That's good, and no complaints there--but it just goes to show that the unlock-on-start requirement that 1Password imposes amounts to a penalty for shutting down my PC when I'm not using it. That's just absurd.

Does the 1Password team believe that Windows Hello is secure or not?

  • If it's secure, then if I'm using it to unlock my PC, let the Windows unlock be the only unlock required.
  • If it's not secure, then why go through all the effort of supporting it and supporting TPM modules?

The conscious choice to require unlock upon every launch is nonsense and very hostile to the user. Power users should have the option to delegate the unlock to avoid this bizarre rigmarole. There is NO BENEFIT to requiring a duplicate Windows Hello unlock!

Now, if you want to offer enterprise customers the ability to set certain policies on how enterprise-owned vaults can be unlocked, that's a different story, but not relevant to consumer users who should have the control over their own vaults. Or if you want to impose some maximum timeout (like 14 days) then at least I don't have to unlock every time I boot up the PC.

The worst part is that 1P handles much riskier user behavior much, much better than this. For example, if you have a weak password, 1P tells you you should change it, but doesn't require it. Or if you reuse passwords across sites, 1P warns you but doesn't force you to change any of them. Or if you're not using 2FA, and it's available, then 1P suggests that you enable it, but again, doesn't require it! **I'm simply asking for the same treatment when it comes to unlocking the vault. **

Sidebar: it's incredibly frustrating to try to have serious conversations about these types of things, only to get flip brush-offs like "well we think it's more secure this way, too bad if you don't like it". Nobody has any compelling argument for why or how the supposed benefit of prompting for unlock on every app start outweighs the convenience of delegated unlock. 1P stands alone in enforcing this requirement. Bitwarden, Dashlane, Lastpass, even Chrome, Edge and Firefox's built-in password managers don't impose this hostile regime.

OK, rant over. Thanks for reading.


1Password Version: 8.7.3
Extension Version: Not Provided
OS Version: Windows 10, Windows 11
Browser:_ Not Provided

Comments

  • Hey @Dunecat:

    This is a great question. The short version is that in order to keep your 1Password data secure on your device, this requires encryption of your 1Password data. We're always working to provide the best balance of security and convenience, and both are very important. With that said, we'll never be a product that offers one without the other.

    To ensure that your data stays secure, your encryption keys can never be written to disk. When you sleep your device, the encryption keys remain in memory, but when you restart your device, they're reset. It's possible to use Windows Hello to unlock 1Password without a TPM, but the only way we can safely persist the encryption keys for your 1Password data across device reboots or after quitting 1Password is to store the encryption keys in a TPM.

    As for the user experience of using Windows Hello to unlock, 1Password asks Windows Hello to unlock, and from that point on Windows Hello is in charge of deciding which Hello option is displayed.

    Jack

  • JoesCat
    JoesCat
    Community Member

    I’m all for having options. An opposing strategy is keeping 1Password an an additional layer of security. Consider this scenario: someone obtains your Windows device and while you’re sleeping/otherwise indisposed they can use your biometrics to authenticate via Hello. Having the option to lock your other saved logins can at least be locked with an alternative unlock method (something you know).

    That’s just one of the ongoing potential pitfalls of single factor “what you have” authentication; nothing new there.

    I agree, we would ideally be granted the choice and have each function well for each. Yes, many (I’d argue most) will choose the most convenient option. At least warn the user.

This discussion has been closed.