Continuous reprompt Windows Hello
They prompt reads: "You need to enter your account password before you can use Windows hello" but it seems to me that this shouldn't pop up every single time I launch the last pass excuse me one pass extension in Firefox am I correct or do I have to enter my master password every single time?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
Hello @Almoend,
Thanks for your message and welcome to the 1Password Community. You should not be required to enter your account password every time. By default, the lock status of 1Password in the browser and the use Windows Hello is tied to the 1Password 8 desktop app.
First, I'd like to understand what's happening with the desktop app. Could you close your browsers, disable Windows Hello in 1Password and completely exit the app by right-clicking the icon in the system tray > Quit. Then, relaunch 1Password and try setting up Windows Hello again following these guides: Use Windows Hello to unlock 1Password on your Windows PC / Manage your settings - Windows Hello](https://support.1password.com/windows-hello/#manage-your-settings)
Before opening Firefox, does the desktop app now unlock as expected with the use of Windows Hello only, after closing when closing or completely exiting the 1Password 8app? If so, try opening Firefox again let us know if 1Password in the browser unlocks automatically. Looking forward to your reply.
0 -
** Before opening Firefox, does the desktop app now unlock as expected with the use of Windows Hello only, after closing when closing or completely exiting the 1Password 8app?
No it still displays the pwd prompt.** If so, try opening Firefox again let us know if 1Password in the browser unlocks automatically. Looking forward to your reply.
And if not? right now, after following the guide, same prompt, same message, like 1P is ignoring WHello entirely, and the password prompt is displayed in FF also.It's a feature I was really looking forward to, saving the master PW for 30 days like LastPass does is yet another sketchy behavior I'm sure I won't miss in LP.
0 -
Are you using Windows 10 that was installed a while ago? I had this issue when my partition style was MBR and Secure Boot was not enabled. Make sure TPM 2.0 is enabled.
0 -
Windows 11. SecureBoot and BitLocker on (that would mean TPM is enabled, I think). Honestly, I'd like to use my YubiKey with Hello, supposedly supports FIDO2 now, but haven't read all the fine print yet. This is a personal, non AAD-joined laptop, so not sure if that can happen, but if 1P's Windows Hello integration worked "as advertised" I'd then be able to authenticate to both the laptop and the 1P at the same time, not needing to enter the complicated 1P master PW. Would this be considered "Passwordless" yet? "Are we there yet? Mom, Dad, I gotta peeeeee!!"
0 -
I guess I thought a little deeper: "Would I want somebody to be able to log on to my Windows 10+ PC with only a (potentially stolen) Yubikey in their hand. Even if it was just a second factor, PIN (relatively easy to steal) plus key == access. NOT good.
However, I have a key set up as a second factor, as outlined in this support article, but the TPM 2.0 message received when setting it up is a little confusing or maybe "frightening" is a better word. That is, it bespeaks something like: "if anybody else can use Hello on your computer to log in as you, then they will have full access to your Vault" which makes (to me) zero sense.
I thought TPM was on by default with BitLocker. But the second factor seems to only come in play when installing on a new device or browser? At the moment, the device is unlocking using Hello correctly when the 10 minute timeout occurs, but not after reboot or logout? Is this behavior by design? If so I would suggest the prompt be reworded differently than "before you can use Windows Hello with 1Password".
0 -
Every reboot I get the sequence:
- log in to 1Password 8.9 with Master Password (prompt still reads
before you can use ... - Vault opens, appears accessible
- Windows Hello then prompts for PIN on a computer where I have the camera taped over
- Nothing visibly changes, I'm still seeing the vault and it appears open/accessible
So am I missing something? Seems 180 degrees off? Should be Windows Hello, then vault opens? Or, no prompt reading
before you can use ...TPM check box is ticked.
0 - log in to 1Password 8.9 with Master Password (prompt still reads
-
That is, it bespeaks something like: "if anybody else can use Hello on your computer to log in as you, then they will have full access to your Vault" which makes (to me) zero sense.
The warning that comes with the TPM was that a malicious app could gain access to 1Password information.
You always have to weight risk against convenience. 1Password as vendor must warn about every possibility, no matter the probability, that exists to break in. They don't write: "times this happened in the past is one for 100000 users", thus probability 0.00001% for each user. Unfortunately, it's difficult to rate such warnings: is some warning significant for my own user profile? How significant?
For example, as single person with the occasional visit of a friend in my household with a stationary desktop computer and a mobile I have a completely different risk profile than a family whose children often brings friends into the house, and whose members carry laptops with them all the time to every place they visit. And additionally, I am an IT person who can assess software better and sense malware, while the children of said family might install everything that pops up on some webpage.
So you always need to take warnings with some grain and assess your personal use case.
For example, I opened my desktop computer and 1Password very much for convenience. 1Password will not lock automatically, and neither my computer. I disabled timeouts and automatic locking. However, if I leave the house, I lock my computer manually. Or if I have guests I don't completely trust, I lock 1Password and/or the computer manually. Or just switch off the computer. This requires discipline, of course, to not forget to lock. However, I was trained to manually lock devices by my company (it's policy that no PC must be accessible if there is no person in front of it) to lock whenever I stand up from my chair. It's just WIN-L to press, very easy. So if someone foreign enters the household and I am about to leave the room, WIN-L.
A laptop I carry gets a different configuration, of course. That would definitely get a timeout, because out of house it can be lost or stolen any moment without me able to press WIN-L.0 -
Very in-depth answer, @Tertius3 and very much appreciated! I have been using Smart Cards for at least 15 years, and I understand the "risk relationship" in the equation of "something you have/know/are". That said, since I've been a Windows user for a loooong time, I'm not clear on whether WebAuthn and the whole passwordless push is an attempt to get us lemmings to the edge of the cliff.
So leaving my Smart Card (or Yubikey) in my machine while a bevy of kids with candy-smeared fingers descend on my laptop when my PIN spells my name is definitely an accident waiting to happen!
I am describing a "use case" as a new user to 1Password (refugee from Lastpass) that does make the learning curve steeper (confusing wording in the prompts while you set up the overall security of your "risk-rich" system (a password/credential vault).
Also, as a lifelong Infosec professional, I'm fascinated with Reddit threads like this one, especially when I am planning to use Yubikeys to protect my 1Password real estate. I don't want Windows Hello to provide a "shortcut" around the Yubikey, and I don't trust the "all eggs in a single basket" approach of using 1Password as a TOTP generator, unless I can be 100% certain my Yubikey can be required before issuing the OTP from 1Password.
Hoping this ramble makes some sense, and comes close to addressing the points in the well-worded reply by @Tertius3.
0 -
@AlmoEnd I evaluated the use of a FIDO2 token such as a Yubikey, but decided against it. It's too inconvenient to use. On paper it's super convenient, but actually no. You need to carry it around, and if you forget it, it's most inconvenient. It's still not supported widespread - often, you still have to enter some password in addition. And there is a risk involved if it gets lost, stolen or broken. Not that I fear the keys within are compromized, it's the fact I lose access to the keys and need to repair this. And if I keep a backup key, it's double the expense, and it's double to inconvenience to keep both keys synchronized.
For these risks and inconvenience, these keys are just too expensive. The things I need to protect are just my own. From attackers, I am only targeted with the crowd of other consumers, I am nothing special. If I were a developer with responsibility beyond myself, this could be a different thing and some inconvenience has to be endured for security's sake, but that's not the case.
0 -
Sorry for having taken this thread far afield (FIDO2 devices don't seem to be supported for Windows Hello for Biz (WHb) login except Azure AD accounts).
My 1P is working "as expected" now and I'm not sure what I did (Many restarts, TPM integration on?) but both on a laptop where the internal camera is exposed (face recognition) and on another where the lid is always closed (external monitor) and WHb uses a PIN, I'm now able to use WHb instead of issuing the Master PW at every restart.
Only followup question that the many helpful folks monitoring this forum may be able to answer: If I change the master password or want to change the period that WHb "substitutes" for the master pw before reprompt can that be done? Or would that be a feature request?
0 -
Hello folks,
Thanks to @Tertius3 for helping out here. 👍
@AlmoEnd - I'm happy to hear that you've got 1Password 8 working as expected with Windows Hello and the TPM.
With regard to your questions about changing your account password, once you've done so, the next time you try to access 1Password you will be required to reauthenticate with the new password, then subsequent logins will return to Windows Hello: How to change your 1Password account password
If you'd like to change how often you are required to re-enter your account password, that option can be found in Settings (
Ctrl + Comma) > Security Unlock > Require password, with the following options - Every 2 weeks / Every 30 days / Never. I wouldn't suggest never as some reuse of the account password helps users to remember it.As always, keeping a copy of your Emergency Kit in a safe place with your password recorded on it, will ensure you always have access to your account credentials. If you ever forget account password or lose your Secret Key, we cannot restore it for you or help you recover your account.
Get to know your Emergency Kit
Do let us know if you have any additional questions!
0 -
I had the same problem as AlmoEnd, except I am using the Edge Browser on my Windows 11 machine. I viewed the comments of ag_mike_d.:
**First, I'd like to understand what's happening with the desktop app. Could you close your browsers, disable Windows Hello in 1Password and completely exit the app by right-clicking the icon in the system tray > Quit. Then, relaunch 1Password and try setting up Windows Hello again following these guides: Use Windows Hello to unlock 1Password on your Windows PC / Manage your settings - Windows Hello](https://support.1password.com/windows-hello/#manage-your-settings)_**
After disabling Windows Hello in 1Password and following the instructions to quit, I got the prompt "Making sure it's you ..." after I re-enabled Windows Hello and TPM in 1Password. I then re-started my PC and opened 1Password. It works now!
I am another new user of 1Password after migrating from LastPass. It took me a while to get used to 1Password, but I like it.
0 -
Hello @1PNewUser,
Welcome to 1Password and thanks for letting us know that the steps previously provided helped you with Windows Hello and all is again working as expected!
We understand change can be difficult but appreciate that you've taken the time learn and are liking 1Password. We appreciate this feedback.
If you have any other questions or concerns, please let us know. The team is always here to help!
0
