Unlock with SSO Less Secure on Windows?

rob29384059

This article does a deep dive on Unlock with SSO: https://blog.1password.com/unlock-sso-deep-dive/

It says that Biometric Unlock on Mac, iOS, and Android uses a hardware method, but Windows operates differently:
"On Windows, the apps don’t use a secure element, but store the re-authentication token in protected memory while the 1Password app is running."

A few questions:
1. Does this mean Windows with SSO is less secure than Mac, iOS, or Android?
2. Why can't 1P Windows use TPM to secure the credential bundle?
3. Does 1P Windows using Biometric Unlock with Windows Hello use TPM, if Windows Hello is using TPM?
4. Is a compromised Windows endpoint (malware) using SSO less secure than one using standard 1P authentication?
5. Is a compromised Windows endpoint (malware) using SSO with biometric unlock less secure than any other?

Thanks!

---

1Password Version: 8
Extension Version: Not Provided
OS Version: Windows 10
Browser:_ any
Referrer: forum-search:unlock with sso

ag_Christian

Hey there, @rob29384059,

I'm with the security team here at 1Password and hopefully I can answer your questions.

There are security advantages to using SSO with 1Password, but also some extra risk considerations that are important to for you to consider. I hope these answers help you determine if its right for you or not.

1. Does this mean Windows with SSO is less secure than Mac, iOS, or Android?

There is definitely a higher risk level using unlock with SSO for Windows since the key protection mechanisms we use on macOS, iOS and Android aren't available here.

A common consideration for SSO integrated services is that SSO authorizations (usually in the form of tokens) are stored in your browsers' local files, and are at risk if your computer's files are at risk. On the other platforms, we have additional biometric protections for the device key, which go hand-in-hand with these storing the device key in hardware on these platforms. On Windows and other platforms, these facilities are not reliably available, which is why we need to store the device key on disk.

If threat actors getting access to the files on your device is a concern, it’s important to note that on Windows, they could read the device key and SSO authorization information. If you decide to enable Unlock with SSO on Windows at your organization, we highly recommend having a strong device protection strategy before-hand that line up with any other capabilities/solutions you have in areas of device and/or SSO security.

2. Why can't 1P Windows use TPM to secure the credential bundle?

Putting the device key in the TPM is something we really want to do, but couldn't accomplish for Unlock with SSO on Windows in a way that was reliable, secure, and maintained a good user experience. If something changes in the future that allows us to maintain these requirements, we'll happily revisit our current approach on Windows.

3. Does 1P Windows using Biometric Unlock with Windows Hello use TPM, if Windows Hello is using TPM?

Yes. If you’re currently using the traditional 1Password sign-in model using an account password and Secret Key, you can opt-in to using Windows Hello with the TPM. This is an optional feature users can toggle depending on how well the TPM works on their device and Windows version. Part of the reason that its optional is because we weren’t able to make this work reliably for all users.

If you're interested in digging more into the security properties of the TPM integration for Hello-based unlocking, you can read more about it here.

4. Is a compromised Windows endpoint (malware) using SSO less secure than one using standard 1P authentication?

To start off, as with anything in security, it depends on what security aspects you want to prioritize to mean "security." Managing users with SSO can have big advantages for the organization you're working in, like centralized user management, access management and auditing. It can also make it easier to increase adoption of 1Password inside an organization. A lot of these reasons are big factors for the different parties who have asked us to support SSO in the product.

If you're primarily looking at on-device security: traditional unlocking in 1Password with your account password provides additional local protection by requiring that it must be entered in order to unlock your locally-stored vaults. If local protection is a priority over the other security advantages SSO provides, you should consider using accounts that unlock traditionally.

However, its worth calling out here that 1Password can only provide limited protection against malware on your computer, regardless of whether you use SSO or not. For example: while the account password provides protections, we can't prevent malware from tricking you into entering your password somewhere else malicious.

Like I mentioned under the first question, we always recommend evaluating and considering what kind of threats you want to defend against.

5. Is a compromised Windows endpoint (malware) using SSO with biometric unlock less secure than any other?

Again, to be clear. 1Password can only provide limited protections against malware on your computer. The security aspects described above are mostly the same whether you use biometric unlock or not.

There is one subtle difference however. When you use biometric unlock, 1Password for Windows offers users limited offline access to passwords. To do that, if the TPM integration feature is not enabled, the app keeps around keys to decrypt your vault in protected, kernel-managed, memory. This makes it very difficult to extract, albeit not impossible depending on your system configuration. But since those keys are not present at all when you don't use Windows Hello, it may be worth taking into consideration when deciding how to use 1Password.

Thanks for your detailed questions, and please let us know if you're curious about anything else.