1P master PW *before* you can use Windows Hello??

Options
AlmoEnd
AlmoEnd
Community Member
in Windows

At least that's my memory of what the prompt says, kinda obviating the usefulness of WH. What settings might I be missing (there seem to be no end of differences in the settings of the 1P UI from platform to platform (Windows/Android/Linux are the three I use most often) or even within a platform (this applies to 1P documentation, that seems to be "platform oblivious", e.g., can't tell I'm looking for help on Android 12 on one tablet and Android 13 on a phone).

It seems the app is correctly detecting WH is enabled, but asking for the PW first, just in case WH isn't as secure (or something) as MSFT claims?

And, what does it mean when I see (and I have read the explanatory text for) "Show Windows Hello prompt automatically?" Does that mean (as I interpret it) that 1P will automatically ask for the master pw, then show me the WH prompt? And why do I have to hit OK after it recognizes my face or I type in the correct PIN? Other software just "goes" without the OK prompt.

1Password Version: 8.10.4
Extension Version: Not Provided
OS Version: Windows 10
Browser:_ na

Comments

  • 1P_Gem
    1P_Gem
    Options

    Hi @AlmoEnd! I understand that you're seeing a message indicating that you'll need to enter your account password before you can use Windows Hello. This sounds like the expected behaviour here. For the first unlock after enabling Unlock using Windows Hello, you'll be asked for your account password first, and then a Hello prompt will appear, which you can complete in order to finish setting up your unlock secret. After this, subsequent unlocks will only prompt you for Windows Hello, not your account password.

    Aside from the initial setup process, there are a few other circumstances when 1Password will request your account password instead of Hello:

    • If the amount of time in Settings > Security > “Require password” has elapsed.
    • If your face or fingerprint isn’t recognized.
    • If you’re trying to change your account password.
    • If you’ve restarted 1Password, including after updating 1Password or restarting your PC.

    The last point can be improved if your device is TPM 2.0-enabled. In this case, turning on the Use the Trusted Platform Module with Windows Hello option will allow you to unlock with Windows Hello without entering your account password even after a restart of the app or your PC.

    And, what does it mean when I see (and I have read the explanatory text for) "Show Windows Hello prompt automatically?"

    Enabling this setting allows Windows Hello to automatically pop up with a prompt on the unlock screen. Disabling this setting means you'll need to manually bring up the Hello prompt by clicking the smiley face Windows Hello icon to the right of the account password field.

    I hope this helps! If you have any further questions or concerns, let me know 😄

  • AlmoEnd
    AlmoEnd
    Community Member
    Options

    Hi thanks for the comprehensive input. I don't exactly know if I'm making myself clear but why would I have to enter both the master password and present my windows Hello auth method, whether this is the 1st open of the safe or 1001st?

    Also I think you may have overlooked the question about why most software does not require the OK prompt but gets face/finger/pin validation and moves on. With 1password it seems to be more like we recognize your face now; we need you to click OK to prove you're human by also clicking/tapping OK. Am I getting that right?

    I am a recent refugee from LP, and see so many ways 1P is more secure, but sometimes in shall we say more cumbersome ways, actually diluting or diminishing the security by adding more layers (I know, defense in depth, yawn...) of protection than may be ergonomically acceptable by end users on a daily basis.

    Thanks again, @1P_Gem for the information.

  • 1P_Gem
    1P_Gem
    Options

    Hi @AlmoEnd, thanks for getting back to me!

    I don't exactly know if I'm making myself clear but why would I have to enter both the master password and present my windows Hello auth method, whether this is the 1st open of the safe or 1001st?

    1Password should only request your account password followed by Windows Hello under the conditions I had previously mentioned. In the absence of any of these conditions, you should be able to unlock with Hello only. If the behaviour you're seeing doesn't line up with this, let me know, as it's possible that something is going wrong for you.

    The behaviour where you're required to enter both is essentially a setup process. When you provide 1Password with your account password, an unlock key is created from a combination of your Secret Key and account password. This key is stored on your system, either temporarily or in the TPM, and you then provide Windows Hello permission to use this key to unlock 1Password.

    In certain circumstances, for example after restarting your device (if the TPM option isn't enabled), 1Password will abandon this key to protect it from unauthorized access, and this is when you'll see the setup process again to recreate the key.

    And why do I have to hit OK after it recognizes my face or I type in the correct PIN? Other software just "goes" without the OK prompt.

    I'm sorry I had previously missed this question! The Windows Hello dialog itself and the requirement for a confirmation OK click is controlled by Microsoft, and we're not able to make any changes to it. The way Windows Hello interacts with non-native apps, such as 1Password, is entirely different to how it interacts with Windows itself and any Universal Windows Platform (UWP) apps, as they're held to different sets of rules.

    If you'd like to see any changes made here, I would recommend sending feedback to Microsoft with the Feedback Hub app.

    If you have any further questions or concerns, let me know!

This discussion has been closed.