1Password Windows authentication via Windows Hello

mark24332

Hi there,

First of all, I really the 1PW product. Please keep up the great work, team!

Please see my question/concern below in the context of a Mac user. Privately I am using Mac and iOS/iPhone with Touch ID and Face ID to unlock 1PW. At work, we use Windows so I am using 1PW in the Chrome browsers but would like to use a similar biometric unlock for ease of use so I started looking at Windows Hello. However, there is a few concerns I have with Windows Hello in the context of 1PW. I appreciate 1PW possibly cannot solve it but still would like to view your security expert views to hopefully ease my concerns.

This is the concern/question:
I noticed that when using Windows Hello I am forced to set up a PIN. Not sure whether this is company forced or this is standard for Hello but I find it a concern because I would like to use either fingerprint or camera ID to unlock my laptop and therefore also 1PW Windows. However, the forced use of PIN makes me feel like the security level has lowered significantly because the PIN is much easier to guess/force than the alphanumeric key that is generated as result of my face (face unlock) or fingerprint unlock. I can also use the PIN to just log into the laptop after powering off. I feel this works significantly different from Mac where after power off I always require to enter the full actual password, which is much longer than the PIN.

Is there a way to deal with this?
What are you thought from a security perspective?
Is my concern valid or am I overthinking it too much?

What about an enterprise admin? Would such a person be able to unlock via Window Hello and therefore also be able to access my 1PW?

Thanks in advance. Happy 1PW user.

---

1Password Version: 8.10.22
Extension Version: 2.18.2
OS Version: Windows 10 Enterprise 19044.3693
Browser: Chrome

ag_mike_d

Hello @mark24332,

Thanks for kind words about 1Password. We're glad to hear how much you are enjoying it for both home and work! I'm happy to assist with concerns about using Windows Hello.

When the Windows Hello option is enabled, 1Password hands the responsibility of unlocking over to Windows Security. Since creating a PIN is part of the process of setting up Windows Hello, our guide About Windows Hello security in 1Password for Windows discusses how to best protect yourself when using it. To the PIN option specifically, we recommend:

• Use a strong, alphanumeric PIN when you set up Windows Hello. It’s always possible to use your Windows Hello PIN to unlock 1Password, so make sure your PIN is strong and memorable. Consider using the 1Password password generator to generate it.

I've also provided related articles from Microsoft that discusses the subject of the PIN:

• Why do you need a PIN to use biometrics? - Windows Security | Microsoft Learn
• Benefits of Windows Hello - Windows Security | Microsoft Learn

Please let us know if you have any troubles setting up Windows Hello, should you decide to use it.

mark24332

Hi Mike,

Thanks very helpful. Appreciate the response. I have changed my PIN to a longer one now.

Kind regards,
Mark

ag_mike_d

Hi @mark24332,

Sorry for the delay in response. You're most welcome! I'm glad this suggest helped. 👍

I hope you enjoy the remainder of the holidays and have a Happy New Year!