Windows Hello improvement

2»

Comments

  • Hi guys,

    @Spaldo, it is two separate issues, we've already addressed the issue with Windows Hello internally that'll be available in the next big 1Password 7.0 Alpha 2 update but the 1Password mini still has to be unlocked, dismissed and then use the shortcut again to fill. This one involves a little bit more work.

  • kathampy
    kathampy
    Community Member
    edited February 2018

    I believe Windows Hello can use the TPM if avaialble to store private keys. In such a hardware configuration, 1Password should be unlockable without typing the master password.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @kathampy: That's a good point, but it's a but more complicated than that. We can't simply store the Master Password there directly, and that isn't available to everyone in the first place. Ultimately anything we do in this area needs to be thoroughly vetted security-wise and tested extensively first before we release something to all of our customers. And as we've seen with a number of recent Intel vulnerabilities (AMT comes to mind), "should" isn't always all it's cracked up to be. Not trying to pick on Intel here, as I appreciate they've got their work cut out for them trying to take an inherently insecure architecture and lock it down. But these are very real concerns to us, both as a company making security software and as users.

  • evansimk
    evansimk
    Community Member

    Is there any concern with storing the temporary unlock key in memory? I understand that on iOS the secure enclave is used to store this token so it's not accessible to other applications. Is Windows Hello a secure-enough alternative to this or am I better-off turning Windows Hello off entirely?

  • MikeT
    edited February 2018

    Hi @evansimk,

    Thanks for the great question.

    It is not a greater risk than keeping 1Password running. If your system is compromised to the point that someone can read your memory, then the game is pretty much over, they can just start intercepting your keys and do other things.

    However, the concern is now someone guessing your PIN or whichever biometric system you're using with Hello. At this point, the risk is at guessing your weaker 4-digit PIN and once someone guessed it, every app that uses Windows Hello is compromised but so is your system if you're running an admin account. That's why we always recommend that you do not run an admin account and always lock your screen when you leave your computer. Generally, most biometric systems have compromises, such as if you're sleeping, someone can just come to you and unlock the computer without you knowing. Face ID, with enough money, they can take a photo off Instagram or whichever social network you're using, clone it onto a human mask and could get lucky.

    Disabling Windows Hello within 1Password isn't enough to increase security in most situations, you'd be better off disabling Hello globally on your computer if you are concerned about it.

    Windows Hello on modern computers store the derived keys using the TPM chips.

  • bthayer23
    bthayer23
    Community Member

    Just an update to my original post in late January - I updated to Windows 10 version 1803 and the latest beta for 1P, and unlocking 1P with Windows Hello works now! Very happy about this, no idea if it was windows, 1P, or vacuuming out my keyboard that did the trick.

  • Hi @bthayer23,

    That's awesome to hear and it is most likely your Windows update that flipped some switches.

    Thanks for updating us.

  • mahu
    mahu
    Community Member

    I also wanna thank you guys for Windows Hello Support, as I realy like a easy way of openening my vault.
    Hope you ged rid of the secend klick on OK to even have it more smooth.
    Great work so far !

  • Greg
    Greg
    1Password Alumni

    Hi @mahu,

    Thank you for your kind words! We are working really hard to improve 1Password 7 and I am glad to hear that you like Windows Hello implementation. :) Windows Hello has its own system limitations, but we will see what we can do in the future.

    Let me know if you have any other questions, we will be happy to help. Thank you!

    Cheers,
    Greg

This discussion has been closed.