Better Windows Hello support in 1Password 6 [Planned but no ETA]
Well last week 1P for Mac was just updated to support touch ID for the new MacBook Pro released one week ago. The iOS version is also well-crafted, nice fingerprint support and full function.
1P for Windows 4 is really outdated. 1P for Windows 6 is much better, but still it also has very very limited Windows Hello and Microsoft Passport support released more than a year ago. The Android version finally supported fingerprint censor after around 1.5 years Google announced the API, but the lack of functions (like custom field) drives me to give up my Nexus 5X and buy an iPhone.
Kinda disappointed, dude.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @BXIA,
Thanks for writing in.
I'm sorry you're disappointed and I can definitely understand it. We are still trying to scale up our smaller Windows/Android teams to catch up to the much longer established Apple team but it hasn't been a smooth ride.
As for Touch ID, you kind of did nail it on the head, Apple has a polished and integrated setup that makes it extremely easy to add support for it right away, it didn't take us much to add support for it on macOS as we can reuse most of our existing code and our experience from our iOS app. Apple has a mandated secure enclave for Touch ID data along with extensive parameters we can use that makes us feel safer to use it, this is true for the new Macs as well, there's a custom A1 chipset with the secure enclave there that makes it a nicer setup.
As for Windows Hello, we have some questions regarding to its security protecting the derived keys on disk (which is preventing us from really wanting to expand the Hello support) and it is mostly designed for the UWP apps in the Windows Store. We've shifted our focus to the regular desktop program many months ago because it enabled more features that the UWP app isn't capable of at the moment. Such as the browser extension support with 1Password mini, which is far more requested than Windows Hello support and not to mention it runs on Windows 7 and above, which still has a much larger market share than Windows 10.
We do plan to address this but unfortunately, I don't have an ETA that I can share with you at the moment. :(
0 -
@MikeT
Windows hello uses TPM, generates a public/private keypair and stores it to it. This is much more secure than apple's soft keychain.
Touch ID can be easily faked with less than 5 dollars. But still you can't fake a inferred censor.
So I really don't think the security issue exists.I believe there's a .Net library to use windows hello on desktop apps. Not sure, but I read some docs about it. I'll try search it.
0 -
@BXIA: I hate to split hairs, but the Secure Enclave isn't software; it's a chip on the board, which Touch ID Macs now also have (as part of the mini-iOS-device Touch Bar). And if you can "fake" it with 5$, the world is your oyster. So far the Touch ID "hacks" I've seen have been greatly exaggerated though — and could be applied to various Windows Hello-based biometrics as well. TPM is similar in many ways and has been around for a while (a long while), but not everything supports it. I really like that Microsoft is starting to do something with this though, even if adoption is still disappointing. Hopefully it's just a matter of time before there's a double-digit install base that can use it, and I suspect we can certainly do more with it by then. :)
0 -
For systems without a TPM, I'm also worried about how the Windows Hello keys are stored on disk. If there is no TPM, you can force the master password to be required when 1Password is initially launched. But on locking the workstation or just locking 1Password, you should be able to use Windows Hello to unlock it. This way the derived keys would not need to be stored insecurely in Windows without a TPM.
I'm specifically looking at the Kensington finger print scanner.
0 -
For systems without a TPM, I'm also worried about how the Windows Hello keys are stored on disk.
@kathampy: We are too. It's not something we'll do unless it can be done securely.
If there is no TPM, you can force the master password to be required when 1Password is initially launched.
Ah, okay. Then you're talking about storing it in memory. That may be a possibility.
But on locking the workstation or just locking 1Password, you should be able to use Windows Hello to unlock it. This way the derived keys would not need to be stored insecurely in Windows without a TPM.
Yeah that makes sense. Wherever we end up storing the "keys", even temporarily, needs to be secure.
I'm specifically looking at the Kensington finger print scanner.
Good to know. If we're able to support Windows Hello, and the scanner you have supports this too, that should do the trick for you. Cheers! :)
0 -
Isn't the derived key just stored in the user's keychain on iOS / macOS when using Touch ID while the desktop is locked? The keychain is not additionally entangled with the hardware / Secure Enclave AFAIK. So even in a locked state, the user account credentials are sufficient to extract keys from the keychain regardless of Touch ID.
Shouldn't the Windows DPAPI be just as (in)secure, being protected by the user account credentials and memory protection? Systems without a TPM should also be the same.
0 -
@kathampy: The token derived from the Master Password is only stored in the macOS (or iOS) Keychain when using Touch ID, and is secured with a cryptographic representation of your fingerprint, which is stored in hardware separate from the the rest of the system: the secure enclave. Now, we don't want to assume that it is impossible to recover this otherwise, but it's very different than simply storing the Master Password on disk, and much more secure as a result. Without these things in place, we wouldn't feel comfortable making it possible for you to unlock 1Password without entering your Master Password (by storing it in memory or on disk) on Apple devices (and Android), and we need to hold Windows to that same standard when it comes to 1Password's security.
0 -
The user keychain and whatever is in it can be unlocked with either the user credentials or Touch ID - they are two parallel encryptions, and the user credentials is the weaker of the two. 1Password can artificially limit storing the derived token only when Touch ID is enabled, but AFAIK the OS will still allow access to the keychain using just the user credentials without authenticating with Touch ID at all. On Windows without a TPM, DPAPI is equivalent to this - the data is protected with the user credentials. On iOS, the user credentials is basically the passcode (which happens to be entangled with a hardware ID though another layer of derivation, but that's just an implementation detail). I don't think macOS uses hardware entanglement for the user credentials like iOS.
Touch ID is not the same as a smartcard or USB token, where the data is exclusively accessible only through a private key operation performed by the hardware. The parallel encryption with the user credentials is the weak point.
I could be wrong, but this is my understanding of the Touch ID API on macOS and iOS. So, using DPAPI to protect the derived token on Windows is equivalent to Touch ID on macOS. i.e. Touch ID does not add any additional security - it is simply a way to avoid typing the user account password.
0 -
As I indicated earlier, it's something we're looking into. Thanks for sharing your thoughts on this! :)
0 -
I went through the most recent Touch ID APIs. Touch ID now has the ability to internally generate keys and perform private key operations that never leave the Secure Enclave, just like a smart card. This is properly secure and isn't vulnerable to a leaked user password.
0 -
Hi @kathampy,
That is correct, we also use the
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
flag to ensure it is never transmitted outside of that device. We have a support article on this: https://support.1password.com/touch-id-security-ios/ to explain what else we do.0 -
Hello, I just bought a Windows Hello compatible fingerprint reader and I would love to be able to unlock 1Password with it like I do on iOS. I'm wondering if Windows Hello support is still on the roadmap and if there's an ETA. Thanks :)
0 -
@humphrey: We don't discuss roadmaps and I can't give you an ETA, but it's something we'd like to support in 1Password on WINdows in the future. We've got a lot of other things to do before then (not least of which UWP, which would be necessary for Windows Hello anyway), but I'm sure we'll share more in the future when we can. :)
0