Windows Hello unlock prone to weak PIN
Hi.
Disclaimer: Yes, I know that under the option to unlock with Windows Hello, there is a link to the knowledge base where the need for the strong PIN is explicitly mentioned. But.
People don't click on links, people don't gather every bit of information about corner cases of workflows that are so conveniently laid in front of them.
Me myself was fairly surprised, when the fingerprint reader in the system stopped working, that my vault can be opened with the Windows PIN. The PIN, which by default (by Microsoft) is preset to be numeric only and user can only change that by fiddling with settings.
I believe there should be a more straightforward warning about this when setting up Windows Hello unlock, for people who don't click on links, for people who are not familiar with the entirety of Windows Hello ecosystem, for people who are accustomed to MacOS's TouchId unlock. For people like me, who even with a fair bit of knowledge around these matters completely missed this until the fingerprint reader stopped working.
Thanks for considering this.
1Password Version: 8
Extension Version: n/a
OS Version: Windows
Browser:_ n/a
Comments
-
Hi.
Yes, it could be an idea with a small explanation about PIN strength when enabling through the app (rather than link).Bit of a guess on your fingerprint reader; Was it a Kensington Fingerprint Key VeriMark IT by any chance?
I got a new driver (6.0.20.1123) for it through Windows Update, and after that (and a reboot with the patch tuesday fixes), I had to manually enter my PIN at lock screen. When touching the reader, it gave the usual "fingerprint accepted", but Windows just said "We are having issues on our side, please try again later". Had to delete my fingerprints through settings, and add them again. Got this reader on two different machines, and happened on both. Also, haven't checked my parents desktop, which got a Kensington Verimark Desktop Fingerprint Key, but I reckon it's a new driver there as well.
Asked Kensington about this, and was normal when a new driver was released. Luckily it is not everyday there is a new driver for them, last one was from 2019. And I guess there is a security implementation in Windows Hello when it is detecting a new driver for the biometric reader, preventing any tampering (even if it is match on sensor, rather than host).
But it's those times you feel how long a 35 length random alphanumeric PIN is (manually entering for both logging in, and for adding new fingerprints).
Edit:
Also, rolling back the driver or unistalling did not work.0 -
Hi @finwe and @hzcRzdvdfxvWoZkdRmtY, thanks for taking the time to share your feedback here!
I can definitely understand how it isn't initially clear that it's possible to unlock 1Password with the Hello PIN alone. Having warning about PIN strength during the Hello unlock setup process is a great idea, and would be much more likely to get a user's attention than a link to a support page which they may or may not decide to click on and read through. I've filed your feedback with our product team, including all of the information you've provided here.
If you have any further feedback or questions, let us know 😄
ref: 33768371
0 -
@hzcRzdvdfxvWoZkdRmtY Yes, it is a Kensington reader, but the issue is in a faulty USB hub in the keyboard. But it can be many other reasons, such as the reader not being connected at all. Thanks for the driver update heads up, might come in handy.
@1P_Gem Thanks for passing this to the team.
0 -
-
You're welcome @hzcRzdvdfxvWoZkdRmtY!
0
