Use "Windows Hello"? [supported since Beta 2]

MojoDK
MojoDK
Community Member
edited April 2023 in 1Password 7 for Windows

Hi

Will there be support for "Windows Hello" to log into 1Password app?

That would be cool!


1Password Version: 2016.1.101
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: Dropbox

Comments

  • PianoMax
    PianoMax
    Community Member

    Hi,

    am I correct, that the unlocking of the 1PW-Win10-App (Beta) via "Windows Hello" is (at the moment) only possible, when the app is "running" i,e. locked but NOT closed? (If I lock the app without closing, the "windows-hello-login screen" keeps appearing till it´s canceled.)

    After canceling the Windows-hello-login screen or when the 1PW-app is **closed **NO windows hello-login screen appears, when the app is opened.

    I hope this will be changed in the final version:
    The "windows hello login screen" should always appear whenever the app is opened.

  • MikeT
    edited April 2016

    Hi @PianoMax,

    That is correct, the Windows Hello support is limited to while the app is running, it will not be used when you close the app and reopen it, this is an intentional security design and will not be changed for now. We will investigate on expanding the support for Windows Hello for future versions once we have throughly investigated it.

    We'll clarify the message better below the Hello settings in a future update to mention that Hello can only be used while the app is running in memory and will not be used upon app restarts.

  • vashachiroku
    vashachiroku
    Community Member

    Well @MikeT that is actually terrible and completely defeats the purpose of Windows Hello.

    Passwords can be stolen right?
    Vaults can be stolen right?

    Now the right way would be this
    Open 1Password use biometrics able to login!
    Hacker might have stolen your vault, but they don't get your password.

    This is the whole reason behind FIDO 2.0 and Microsoft implementation called Windows Hello which is the biometric login rather than typing a password to sign in. Then comes Windows Passport which will allow you to authenticate to website using Windows Hello biometrics!

    Check out Build conference demo with USAA near 18min 30sec mark
    http://news.microsoft.com/build2016/#sm.000hl3hlc18rddcqy0x2mqd9ghtz8

    So please explain to the community how your approach of keeping a password as the primary login method is the most secure approach? Love to hear this one!

  • PianoMax
    PianoMax
    Community Member

    I agree that this would be a severe and annoying drawback and I suggest that you re-think this "non-function".

    The possibility of using Windows hello on each opening of the app would imo lead to stronger and longer vault passwords. Let's be honest: If one has to type in the 1PW master password a dozen times a day (or even more often), who never thought, "what's the shortest and fastest entered PW which is still sufficient". You just don't choose the strongest but the fastest entered Password. That's why so many people end with weak Master passwords

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2016

    The possibility of using Windows hello on each opening of the app would imo lead to stronger and longer vault passwords. Let's be honest: If one has to type in the 1PW master password a dozen times a day (or even more often), who never thought, "what's the shortest and fastest entered PW which is still sufficient". You just don't choose the strongest but the fastest entered Password. That's why so many people end with weak Master passwords

    @PianoMax: In theory, it may encourage people to use longer passwords. But in practice, not having to enter the password regular leads to people forgetting them, and then there's no recourse but to start over. We know this from experience, as an old version of 1Password had an option to not require the Master Password. People forgot they even had one. Bad news all around.

    Passwords can be stolen right?
    Vaults can be stolen right?

    @vashachiroku: And your face — or an image of it — can be stolen. Your face is not secret.

    svondutch said it better than I ever could have:

    Here is the problem with fingerprint readers (and other biometrics, such as face recognition):

    1. The scan always comes back with slightly different data. Then there is software that will tell us whether or not the scan matches an earlier made model. We cannot use either of them as your encryption key because the scan isn't consistent, and the model is stored somewhere on your drive.
    2. On your iPhone, we can store your master password in iOS keychain and then unlock this with your fingerprint. On Windows, I do not believe there is a safe equivalent, and that is why I'm a strong believer of not storing your master password anywhere.
    3. Let's assume we can somehow overcome problems #1 and #2 then you do not want to replace your master password with biometrics. The feds are in love with face recognition because after they arrest you, they then point the screen at your face. While biometrics are great as a 2nd factor, they should never be your only factor. You should always combine biometrics with "something you know", which brings us back to your master password.

    While biometrics are great as a 2nd factor, they should never be your only factor. You should always combine biometrics with "something you know", which brings us back to your master password.

    We'll certainly continue to evaluate the landscape as technology advances, but the human factors involved here will never change, and those are the most significant reasons why a biometric-only approach is a bad idea. I hope that helps clarify things.

  • MikeT
    edited April 2016

    Hi guys,

    Let me clarify a few things:

    1. I incorrectly wrote it will not change in future updates when I meant the way the Hello support works in 1Password will remain as is for now. It is possible that over time, we'll be able to use it in more situations but for now, we start with the most aggressive method that we know is secure and then expand on it in the future after we do an extensive investigation. We did the same thing on the other platforms, we start with the most aggressive setting and we iterate on it further. For now, the Hello support will remain to running in the memory but not forever. It may evolve to unlock your data all the time as a setting if we can verify such an implementation on our side is secure.

    2. There's a difference between authentication and encryption, we do not authenticate your data, we encrypt your data. FIDO and Windows Hello is for authenticating who you are, not the same thing as converting the encrypted data into clear text you can view. For Windows Hello, it must give 1Password a secret to unlock when you authenticate yourself. This is something we do not do right off the bat, especially on a new platform like Windows Hello. We need to test, validate, and test again before we even consider sharing the secret to a third party.

    3. FIDO might be something we support in the future inside 1Password as well. We're already added TOTP support to your Login items to 1Password and FIDO might be next in the future, we never say never (I did say it incorrectly here) and will look at all methods to help you secure your data.

  • vashachiroku
    vashachiroku
    Community Member
    edited April 2016

    @brenty - More than happy to poke lots of holes in your reply.

    Forgetting passwords
    Windows Hello when it doesn't work falls back to PIN, so if your face/finger print doesn't work and you forget your PIN, then you would go all the way back to the traditional vault password. At this point there is a level of accountability just like there is today.

    1Password Beta does this already if finger print doesn't work then you can use the PIN to log back in, if you cancel then you have to go back to traditional vault password.

    Stealing Face
    I think you should spend a bit more time reading before just replying. You know that Windows Hello camera will not work with a photo right? So unless your trying to accomplish some "Face/Off" movie stunt this will not impact Windows Hello. Link below for the Intel® RealSense™ 3D Camera (R200). There are also test that it can differential between twins showing if its not sure it falls back to PIN with the negative failure percentage.

    https://software.intel.com/en-us/articles/realsense-r200-camera

    http://www.theaustralian.com.au/business/in-depth/cracking-the-code/windows-hello-can-identical-twins-fool-microsoft-and-intel/news-story/4cdee04cc466e4f673c8642f5cb98d22

    Fairness
    In all fairness doing a comparison is the best way to argue the facts.

    iPhone - (reboot phone)

    • First launch 1Password requires the traditional vault password
    • Open a second time able to use Touch ID
    • Force Quit 1Password and launch a third time still able to use Touch ID (Right here doesn't require the traditional vault password even though the app was closed)

    Surface Pro3 with Enterprise Touch Keyboard

    • First Launch 1Password requires the traditional vault password
    • Leaving 1Password running after a few minutes locks and ask for Windows Hello or PIN
    • Close 1Password and launch a third time requires a traditional vault password (See the difference compared to iPhone experience)

    So this is the point I'm making its all about user experience. Obviously on iOS you can force quit the app and next launch Touch ID works. Now if you can't do the same on Windows 10 is it a Microsoft limitation of the SDK or API? If so guess what there is a way to solve this! Say Hello to the Feedback Hub App. Create a new feedback request and have the 1Password community up vote the request.

    Dates
    Face is not a secret doesn't have a date which is very bad for the fact when was this wrote last week, last month, last year? We all know in IT 6 months a lot can change. Just because you linked to an article on your own site doesn't mean its still valid. I recommend updating the post to match the new hardware and software technology available today and also use 3rd party independent research to backup responses.

  • @vashachiroku hi there, let me join the discussion :) As @MikeT clarified we do not ditch Windows Hello support and we are looking forward to enable it on the first run too. In the end we are looking to have same experience across all platforms. However, let me be honest, there are priorities - we need to cover folks on Windows 7 with Teams and Family support, we need to integrate with browsers in Windows 10 app. We made partial support for Windows Hello, we will continue to improve it.

    P.S. Feedback Hub - yea, that is definitely a good idea and Microsoft is making these feedbacks available to us, we are definitely going to follow it.

  • vashachiroku
    vashachiroku
    Community Member
    edited April 2016

    @SergeyTheAgile Thanks for the reply. Its kind of sad to hear this that the focus for Teams and Family are a higher priority than the customers who have been on 1Password since the v3 days such as myself. I will never use Teams or Family because they are cloud based. If I wanted cloud would have went with LastPass****.

    If the companies focus is push subscriptions and cloud then I guess its time to start branching out into other vaults solutions. Been a good run.

    Possible be more transparent with your Roadmap and where the resources are being allocated for development would be nice as well because it seems if your not willing to use Teams or Family then Agilebits isn't focused on you as a customer going forward. If this isn't true then it would be good to back this up with tangible evidence.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @vashachiroku: I'm not certain what you're referring to specifically when you presume that customers who purchased a license are not being prioritized, as we continue to improve the apps. And regardless of any prejudice you may have against subscriptions or cloud services, just remember that there's nothing stopping you from using the same 1Password apps you purchased licenses for without using either. The apps themselves are important to everyone, since they'll be used by both those purchasing a license or paying a subscription. While it isn't complete, the new Windows 10 app with Windows Hello support hasn't cost you anything either. We haven't taken anything away from you, and like others, you can continue to benefit from apps and improvements we make with the "focus for Teams and Family" if you wish. :)

  • @vashachiroku please don't take my comment as "we don't care about personal vaults anymore" - we care :) We have started 1Password for Teams and 1Password for Family, so now you have more choices between personal or cloud based solutions. We aren't taking away, we are adding here.

    While Windows 10 shows amazing adoption rate, Windows 7 is accounted for 55% of users as of February 2016. If we leave these fine folks behind - would it be 1Password you know? I'm not able to reveal plans, hopes and roadmaps, but I'm able to say that we are working to be on Windows 7 as well and that work will bring value to all our beloved users.

  • vashachiroku
    vashachiroku
    Community Member

    I'll give it a bit more time and make a decision seems like the best call. And kind of jumping to conclusions about prejudice about subscriptions or cloud. I love Office 365 which is subscription the difference is there are updates constantly with the cloud service. All the office suite gets a monthly update across all the devices from iOS to Android. If the subscription is for software its common place to expect new features in a timeline manner. This is different from a Netflix or Spotify subscription where you pick your usages.

    Were talking security here I don't think anyone will ever have 100% complete faith in someone else infrastructure. The major difference is your a target when you start storing this type of information. This is why Office 365 host the email but most people use AD FS and continue to keep the password on premise.

  • Hi @vashachiroku,

    We do understand your hesitations, that's a very good thing when it comes to your security, and you're right to have doubts first. While this may not be the right thread but we'd be happy to answer any questions you have about the security of our infrastructure.

    1Password Families and Teams services complement the 1Password apps, it is not a total replacement of 1Password. All apps will continue to be updated with or without the service.

    As for storage, we only host the encrypted data, nothing else, we don't have access to your password or the account key which is not transmitted to our servers at all. We're also working on adding two factor authentication soon.

    We also have our codebase audited by outside security teams as well.

    I'd suggest going through our Security page here to see how we tackle security when it comes to 1Password Families/Teams: https://1password.com/security/

  • vashachiroku
    vashachiroku
    Community Member

    @MikeT thanks I will look over your security page you provide. I think with Redstone 1 "Anniversary Update" and by the end of the year Office 365, Google, Facebook, and USAA will all be support Windows Hello logon for the web. This is a great first step to removing passwords. However 1Password will be around for a long time as there are 100's of sites that will not get Hello support.

  • Hi @vashachiroku,

    It is an interesting first step and we all want better security for everyone, so hopefully, this will gain total industry support if it works well enough.

This discussion has been closed.