Does 1Password / Windows Hello require a TPM chip and/or biometric authentication?

XIII
XIII
Community Member
edited October 2022 in Windows

On my (10+ years old...) Windows 10 PC I need to type my 1Password account password whenever I want to access 1Password 8. I thought my PC was too old to support Windows Hello and I don't think the motherboard even has a TPM chip (only a header?), but this week I noticed that I can enable a PIN code next to the password in Windows itself. However, even then 1Password 8 still requires me to enter the password every time.

The instructions are not very clear about this:

https://support.1password.com/windows-hello/

  1. Is biometric authentication (face or fingerprint) required?
  2. Is a TPM chip required?
  3. What about using a YubiKey instead (of biometric authentication and TPM chip)?

1Password Version: 1Password for Windows 8
Extension Version: n/a
OS Version: Windows 10
Browser:_ n/a

Comments

  • Hey there @XIII

    You'll definitely need a TPM chip to use face or fingerprint recognition to unlock 1Password, and a TPM 2.0 chip to allow you to use Windows Hello to unlock 1Password across reboots.

    However, in my testing, I was able to still set up a PIN in Windows Hello after disabling the TPM chip, so you should still be able to use that:

    Learn about Windows Hello and set it up

    Getting a security key like a YubiKey to work with Windows Hello is apparently a bit more complicated, but there are instructions from Microsoft listed in that article above, so give it a try as well and let me know how you get on. :)

    — Grey

  • XIII
    XIII
    Community Member

    However, in my testing, I was able to still set up a PIN in Windows Hello after disabling the TPM chip, so you should still be able to use that.

    Yes, I mentioned that in my start post. However, I doubt it's safer than a password when there's no TPM chip?

    I don't see any instructions for setting up a YubiKey for Windows 10/11. I do see them for signing in to a Microsoft account, but I only use a local account (no Microsoft account) at that PC...

  • @XIII – I can't really comment on the internal workings of Windows Hello, so I would take the cautious approach. If you're not sure about its features or security, I'd probably suggest not using it.

    We provide a quick overview of the security of Windows Hello (from a 1Password perspective) here:

    About Windows Hello security in 1Password for Windows

    Considering we recommend using an alphanumeric PIN with Windows Hello anyway, perhaps the middle ground here is to change your 1Password account password to something that's easier to enter. We'd recommend four words, generated using the password generator.

    How to choose a good 1Password account password

    You don't need to have uppercase letters, numbers, or symbols in your 1Password account password, and it's generally easier to enter actual words than random passwords, so there's no fiddling with the Shift key or wondering where a particular symbol is on a particular system's keyboard.

    We never store your 1Password account password in RAM, on disk, or even in the TPM's secure storage – a single-purpose secret is generated when you use Windows Hello and 1Password checks for that secret coming back from Windows Hello instead.

    If the PC in question is already somewhere secure, and you aren't worried about anyone seeing the PIN you enter, you can choose a 4-number PIN if you want. The main thing is to balance how credible the threat of being shoulder-surfed is with how convenient the unlock method is.

  • XIII
    XIII
    Community Member

    Yet another reason to finally ditch that Windows PC... 😉

  • @XIII – I definitely wouldn't stop you! 😁 Pretty much any new PC these days will have a TPM 2.0 chip, which makes Windows Hello more secure to use, and it'll probably mean you can use facial recognition via the webcam or a fingerprint reader to unlock 1Password, even after you restart. As always, make sure you remember your account password, because you'll be asked for it from time to time.

  • XIII
    XIII
    Community Member

    I'm not going for a PC/Windows, but for Mac/macOS.

    (waiting for Apple's October announcements and need to save more money...)

  • @XIII – Ah, that's different. I'm sure our friends in Cupertino will have something suitable for that before long!

This discussion has been closed.