Windows Hello prompt comes up every time I unlock the vault using a password
This started happening about 2 weeks ago and has been happening consistently since. It's trivial to reproduce on multiple Windows PCs running Win11 24H2.
Steps to reproduce:
- Turn on "Unlock using Windows Hello" and "Use the TPM with Windows Hello"
- Turn off "Show Windows Hello prompt automatically"
- Set require password to "every 30 days"
- Quit 1P.
- Relaunch 1P & unlock with password. The vault unlocks, then pops up with the Windows Hello prompt.
- Complete the Windows Hello prompt.
- Quit 1P.
- Relaunch 1P and unlock with password.
**Result: **
The vault unlocks but then it pops up the Windows Hello prompt again.
Expectation:
The vault unlocks and does not pop up the Windows Hello prompt.
The only workaround I've found for fixing this is to disable the "Unlock using Windows Hello" feature entirely. This is a real drag of a workaround, and again, it didn't use to do this.
1Password Version: 8.10.50
Extension Version: Not Provided
OS Version: Windows 11 24H2
Browser: Not Provided
Comments
-
Hello @Dunecat! 👋
I'm sorry that you're being prompted by Windows Hello after unlocking 1Password using your account password. It sounds like you're running into a known issue that our development team is aware of. So that I can confirm this, could you post a screenshot of the Windows Hello prompt that you see after unlocking 1Password using your account password?
I look forward to hearing from you. 🙂
-Dave
ref: dev/core/core#33895
1 -
0 -
Thank you for the update, @Dave_1P ! I'm looking forward to the fix because I want to use password to unlock the vault, except for when I'm using SSH keys, in which case I want to use Hello. Unlocking with the password shouldn't trigger any change to the Windows Hello state, so it's frustrating in its current state, and I'm very happy to hear it will be fixed.
0 -
Thanks again for reporting the issue, when it's resolved you'll see it noted in our release notes: 1Password Releases
I want to use password to unlock the vault, except for when I'm using SSH keys, in which case I want to use Hello.
Out of curiosity, why don't you want to unlock 1Password using Windows Hello aside from when you use a SSH key?
-Dave
1 -
Hi again, and happy holidays.
Having to unlock again to use an SSH key at all, via any method, is an unnecessary hurdle and just makes life harder. Especially when a specific app is already approved to use them. E.g. I use VS Code and SSH keys to push to GitLab and yet 1Password treats it as a totally suspicious activity every single time. Bizarre. At least when I'm opening VS Code I'm sitting at a computer, whereas when 1Password is auto-launching I might be getting a cup of coffee and not sitting in front of the computer.
0 -
Thank you for the reply. You can adjust your authorization options for SSH by using these steps: Get started with 1Password for SSH Developer - Adjust your authorization options
We have an explanation of the authorization model for the SSH agent here: About 1Password SSH Agent security Developer
-Dave
0 -
Thanks Dave, the links are helpful. They help illustrate the overlooked use case:
The authorization model for the 1Password SSH agent is built on the idea that you should be able to control which processes are allowed to use which private keys.
Alternatively, you should be able to control which applications are allowed to use which private keys, so that you don't have to re-auth every time you re-use the same application, as long as the vault is unlocked. If the vault is unlocked, the fact that I authorized the application to use the key Monday should be well enough for the application to re-use that same key Friday without reprompting me, even if I've rebooted the computer in between.
Here's the relevant part of the developer settings page:
The "Remember key approval" dropdown is missing a "forever" option.
0
