Using Windows Hello



  • Unlock with Windows Hello works perfectly for me! I'm using a built-in fingerprint reader. Would be awesome to have Windows Hello as the default unlock option though...

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @thomasvochten,

    Thanks for letting us know that!

    We do agree, it would be awesome but we're going to remain extra cautious here on Windows for a while and always require the Master Password every time 1Password is terminated. For now, you could make it easier by always keeping 1Password running, have a longer unlock timer, and/or sleeping/hibernating instead of shutting down the device to avoid having to unlock with the Master Password often.

  • I'm having the same problem using the built-in fingerprint reader on my ThinkPad T440s. The eyeball logo is displayed, but does nothing. I can see that the fingerprint reader does not even light up when trying to authenticate to 1Password.
    Logging into Windows however works perfectly. My computer is not joined to any Active Directory Domain, it's standalone.

  • brentybrenty

    Team Member

    @Manaburner: Thanks for letting us know. Even if you're not using Active Directory though, it's possible there are group policy settings involved. Can you check? I have some myself to prevent some Windows automation that can interfere when I'm working and testing things. It's helpful to know that you're not seeing the physical sensor light up as you'd expect. That tells us that Windows isn't activating it at all even when 1Password requests it. Do you see anything else, or does clicking the Windows Hello button seemingly have no effect whatsoever?

  • Hi @brenty
    I have checked the group policy and there's nothing configured.
    When I click the Hello button, it does nothing. I gets marked with the blue frame but that's it.

  • Hi again,
    Windows is just forcing a 5 GByte update on my computer. I'll install that and then try again. Maybe it contains a miraculous fix for this situation ;)

  • brentybrenty

    Team Member

    I hope so, but I doubt it. Looking forward to hearing though. :blush:

  • Chiming in to say that I have a PC with Windows Hello configured (also using an external Windows Hello-compatible fingerprint reader) where 1Password 7 Beta refuses to call Windows Hello. Same as the people above, clicking the eye icon does nothing.

    The PC is domain-joined but it authenticates with Hello successfully, and my own C# app calling the same Windows Hello API brings up the authentication dialog as well.

    OS Version: Windows 10 Pro x64 1607 (OS Build 14393.2125)

  • Hi @brenty the miracle has happened. After the Windows Update to 1709, Windows Hello with Fingerprint is now working. Yay

    In this process, I have been of course painfully reminded that it's still Windows, because after the update my wireless cards were all gone, but I guess that's called collateral damage :) (the solution to this was to update the wireless drivers, in case you're running into the same problem)

  • brentybrenty

    Team Member

    Hi @brenty the miracle has happened. After the Windows Update to 1709, Windows Hello with Fingerprint is now working. Yay

    @Manaburner: That is shocking and delightful! just got 1709? Is this a company machine? Maybe others here are in the same boat.

    In this process, I have been of course painfully reminded that it's still Windows, because after the update my wireless cards were all gone, but I guess that's called collateral damage :) (the solution to this was to update the wireless drivers, in case you're running into the same problem)

    Oh my god. Yep, I've been there. :sweat:

    Anyway, sounds like it was a bit of an adventure and all worked out in the end. Thank you for letting me know! :chuffed:

  • brentybrenty

    Team Member

    @Smileybarry: Thanks for chiming in! Are you by any chance also not on Windows 10 build 1709 (A.K.A. Fall Creators Update)?

  • @brenty it is running Windows 10 Pro but it is not attached to any company-related backup distribution system like WSUS, if that's what you wanted to know.

  • brentybrenty

    Team Member

    @Manaburner: I'm just confused as to why you're just not getting the Fall Creators Update. Are you on the slow update channel or something? I'll admit to not keeping up with that much.

  • @brenty to my knowledge, 1709 IS the fall creators update

  • edited March 2018

    @brenty: Yes, this specific PC is sadly still on the slower Anniversary (1607) branch due to some update issues. (It'll be reinstalled with RS4/"Spring Creators Update" once that comes out)

    Additionally my other PC is manually held back on the original Creators Update (1703, one before FCU) due to a long-standing gaming bug in FCU that Microsoft didn't solve until last week. (It's still up-to-date, just set to not install feature updates, an option in Pro/Enterprise editions)

    Though I haven't tried 1P7W's Windows Hello support there yet due to another bug preventing me from using it (Android + 1P7W sync issue).

  • After the Windows Update to 1709, Windows Hello with Fingerprint is now working

    I can confirm, doing the update worked for me to :) . My windows was on 1703, although the notebook was bought this January. I had to force the update with the Windows Media Creation Tool but know it works.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi guys,

    I missed the simple service pack branding, at least you know service pack 4 is newer than 3, 2, 1 and not have to figure out what FCU, AU, SCU, etc means and sometime you have to make sure you type them correctly because if you miss one letter, it could mean completely different.

    We'll check with Microsoft to see if the API we're using requires 1709 (FCU).

    @Smileybarry, we've shipped 7.0.530 update an hour ago to fix the OPVault sync issue with Android.

  • For me, the Windows Hello eyeball button is not visible, even though Windows Hello is enabled and working as a Windows sign-in method. I've unlocked my vault using the master password and locked it again but still no Windows Hello option. When I execute Hello in the 1Password Console, it returns False.

  • @Bull3t most likely you need to update to Windows 1709 to get it working. Windows Hello originally was available to Store apps only, but 1Password has to be a desktop app to support Chrome and Firefox and to run on Windows 7 system too. Windows 1709 enabled use of Windows Hello from desktop apps.

  • @SergeyTheAgile Thanks, I'm currently running Windows 10 1709 build 16299.309 though so it seems like this should be working for me?

  • @SergeyTheAgile That doesn't sound right, I have a desktop C# app I'm developing that's able to use Hello on my 1607 desktop. Are you using the same-old "verify identity" API (the message-signing Hello API) or something newer?

  • @Bull3t i just searched again, it seems like that interface is supposed to work from 10.0.16232, at least that's when it was introduced in SDK. Unfortunately there aren't many docs on it, so we can't tell for sure why it's not happening on your build 16299. We'll try and reach out Microsoft for hints.

    @Smileybarry we are using IUserConsentVerifierInterop interface (IID 39E050C3-4E74-441A-8DC0-B81104DF949C) on Windows.Security.Credentials.UI.UserConsentVerifier class object. I just looked into UserConsentVerifierInterop.idl (that's where interface is defined) file again, it looks like interface is supported on RS3 and higher. Which one are you using?

  • @SergeyTheAgile That's the one I'm using, and it looks like it's compatible since Windows 10 RTM (10240). Just ran my (desktop) example again (on 1607) and the Windows Hello consent dialog pops up & works. I've isolated the auth chunk of the code here, if you'd like to compare usage. (maybe you're calling a newer method that isn't in the general docs?)

  • @Smileybarry thanks for the gist, I'd use the same in the Store app, but 1Password is the desktop app and it does not have package identity as Store apps. I can see that this interface is marked as dual for both Store and Desktop apps, but I have no idea yet how Windows can verify that 1Password.exe calling this API is the real one, I mean imagine someone writing an app with the same name and fooling user & Windows to reveal secrets? I wish docs were more clear on security aspects of this. We'll have to experiment first before making further steps and get confirmations from Microsoft before we'll add something that can affect your security. ;)

  • @SergeyTheAgile I think the verification happens per hash of the calling EXE, i.e.: when I rebuilt my app after changing. A couple things, Windows Hello would act as if I have no saved credentials. (Going through the bind process again)

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @Smileybarry,

    Thanks, we'll keep looking into it and wait to hear back from Microsoft. Hopefully, they'll have a better answer for both of us.

  • I can confirm too that updating from 1703 to 1709 fixes the problem with the Windows Hello sign-in. Stupid delayed updates on work laptops.

  • This may not be the right thread, but it says 'Windows Hello'. I've got the beta on my home PC also, and it's accessible via the PIN (work one only works via login, of course).

    I just noticed that the PIN opens up 1P. Eek... is there a reason for this? Can we get an option to disable this? I may or may not want the PC available via PIN, but I sure don't want all my passwords available to anyone who might have access to the PC.

    Is there some reason for this 'dual access' that harks back to before iOS TouchID? :)

  • Bull3tBull3t
    edited March 2018

    @SergeyTheAgile Is there any update on this from Microsoft? I am on Windows 10 version 1709 build 16299.309, but I do not see the Windows Hello eyeball icon in 1Password, even though Windows is working fine with fingerprint unlock. Do you need any logs from me to narrow this down?

    @leesweet See the Make Windows Hello optional thread and the comment by @MikeT regarding PIN unlock.

  • @Bull3t Thanks, will do!

This discussion has been closed.