Make Windows Hello optional
Hello!
While for example my laptop has a fingerprint scanner and I can use it to unlock my vault, I have a pin on my desktop at home. But I don't want that my vault can be unlocked with the (in comparison) easy pin vs my masterpassword. So please add a switch to disable the windows hello features if desired.
Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @xanatori,
Thanks for writing in with this request, we’ll look into adding an option for that.
Note that your PIN is stored with the same location as your fingerprint hash. If you do not trust Windows Hello (easy to use PIN weakens your master password in 1Password as well, you have to protect your Windows system first and foremost), you should disable it globally as well. Disabling Windows Hello within 1Password does not generally increase security for it. If your Windows account get compromised, your 1Password can be compromised as well. For an example, if someone takes your laptop to your bed, unlock your Windows account, they can just copy your 1Password database, install malware to sniff your typing the master password and/or run a brute force attack on it.
The more secure option is to shut down the system when you’re not using it and not use Windows Hello either if you’re concerned that someone could get to your system in person.
0 -
On my laptop I'm using the fingerprint scanner and no pin, just a regular windows password.
But at home on my desktop I got my regular windows password and a simpler pin, so my girlfriend can access the pc if she needs to.
But I don't want the she could access my vault then with the pin (even tho she wouldn't but thats another topic).I hope this cleared it up. I just want a toggle "enable windows hello (on | off)" if thats possible.
0 -
It’s not that easy. Such a setting has to be stored securely, otherwise anyone could just force the setting to be on. To store this, it has to be in your 1Password encrypted database but if someone wants it enabled, how does 1Password know without access to it?
We’ll look into it though.
0 -
On the flipside of this, could you make an option to have Windows Hello be the default option? By default, at least for me, I have to hit the "use Windows Hello" button and then press my finger. I'd prefer it looks for my Windows Hello (my finger in this case) by default and only ask for password if my finger fails however many number of times you want to let someone try. I know Windows will ask for a pin after so many finger fails.
0 -
Hi @Malfoy,
That isn't yet possible because we need access to your Master Password to unlock 1Password and then generate a temporary decryption key for Windows Hello to use, that's why you always have to unlock first with Master Password after terminating 1Password or reboot.
To make it the default, we must store that key forever on disk for Windows Hello to use. It's not something we're fully confident yet to do until we do more research. At the very least, we must limit it to hardware that can store it with TPM.
You can press the enter key in the empty Master Password field to immediately trigger Hello without manually moving your mouse.
0 -
On the hiding of the 'eye', not sure why this is an issue. If the owner of the vault/1P wants that option off, that option is in 1P settings, and that person controls/secures it using the master password. Is there something wrong with that logic?
I agree with the above, I don't want a casual user of the PC having access to 1P via the same PIN that gives access to the PC. I would have thought this would have been taken care of long ago.
0 -
Hi @leesweet,
I agree with the above, I don't want a casual user of the PC having access to 1P via the same PIN that gives access to the PC. I would have thought this would have been taken care of long ago.
Your Windows account is what keeps 1Password protected in that account. If you give anyone access to your account, you are effectively giving them the power to do anything in that account, including the ability to run compromised malware that'll steal your master password or worse, it'll ensure you have no way of knowing your 1Password database has been compromised.
This cannot be stated more clearly, giving someone access to your Windows account gives them the power to compromise 1Password in that account as well. Windows Hello does not change anything here, this is true before we add Windows Hello. Hello simply authenticates that you have access to the account.
There is no such thing as a casual user, a Windows account is a Windows account. Once there is more than one user have access to an account, it's considered to be compromised.
There is no effective and secure way to separate one user from another one in the same Windows account.
0 -
That is not to say, if we do find a way to enable such a setting securely, we'll bring it in. But please be careful, do not give access to your Windows account thinking that it would protect your 1Password database that has a different master password. It is not that simple.
0 -
Not really the.point I was trying to make. Someone could see my PC PIN accidentally and then have access to my 1P contents when that wasn’t what I wanted. What’s the point of a master password if PC access opens the vault up? I don’t see the logic at all.
Why isn’t it that simple? Why does the Windows acct give access? I’m not seeing this at all.
0 -
Hi @leesweet,
The point is that 1Password is not a security tool that is designed to protect you against system compromises. It's one part that you can use to build strong security habits of protecting your system on multiple levels.
Take 1Password out of the question. If someone sees your PIN, he can just get in and install a simple tool to copy everything and run attacks on his own computer or wait until you enter your passwords with a keyboard sniffer and then run it on his own computer. That's true for any encrypted data you have.
That's the tradeoff you're willing to make by enabling Windows Hello in the first place. Windows Hello is not recommended if you're in an area that could leave you vulnerable like at an airport or cafe. It is not designed to protect you, it is only designed to avoid entering super long Windows password all day long when you're in a relatively safe area that you're willing to trade to save some time.
0 -
If the answer is turn off Windows Hello, excellent. I’m running a pretty default Windows 10 on my home machine since it’s only used for a few things that I don’t do on the work one (tax returns, etc)). But I keep returning to what we were told back when that 1P is secured by the master password. Just like on my iPhone I can turn off using TouchId. Not sure why I can’t turn off the ‘convenience’ of the Windows Hello PIN with 1P also.
Why is this not the same sort of option?
And I’m not talking about a public PC. I’m taking about home where someone else may be able to see you enter a PIN. But you still don’t want them using 1P. The two cases are not comparable and I’m confused as to why this is still not an option. If the answer is turn off Hello, okay. It still seems like a bypass of the master password security.
0 -
Hi @leesweet,
But I keep returning to what we were told back when that 1P is secured by the master password.
It is, you cannot enable Windows Hello in 1Password 7 for Windows until you unlock with your master password first. Once you unlock, you can simply unlock with Hello if you wish. If you do not, exit 1Password and it'll ask for master password again. We generate a one-time decryption key that'll run in memory for Windows Hello to use and once 1Password terminates, that key cannot be reused.
Sign out of your Windows account when you're done and you'll be required to enter the master password.
In other words, the longer you keep 1Password running, the longer it can be unlocked with Hello.
Would it help to have a setting to reset to master password if you explicitly lock down the computer via Windows Key + L?
Every platform have different security approaches, not everything can be done the same way. In this case, you can quit 1Password on your iOS device and you can unlock with TouchID, which store your data in a secure hardware enclave. You can terminate 1Password and restart it, it'll ask for TouchID without your master password because it stores a unique hardware key in your iOS device's enclave that is protecting your 1Password database.
You can turn it off and you'd be getting the same thing, asked for master password on every launch of 1Password.
0 -
Not sure what this means.. I have the mini up, and can open it with only the PIN. Did you mean to imply the PIN is a shortcut only if the master password is entered first? That's not what I'm seeing. That's what we used to have in iOS before TouchID, as I recall (it's been a while).
I closed 1P (the app) on that machine, closed all browsers, opened FF, hit the mini, and only the PIN was needed to unlock the mini. This is not what I wanted. What does 'you cannot enable Windows Hello until you unlock with master password first' mean?
0 -
Hi @leesweet,
Closing 1Password via the 'x' button on top does not exit it.
There are two ways to exit it:
- If you're in the main 1Password window, go to the 1Password Menu > Exit
- Right-click on 1Password icon in notification tray area to select Exit.
If you open 1Password, it'll require your master password.
0 -
And, of course, my bad, you are correct. If it was never open (totally), it does prompt. That's better, but it would be nice to have, on your PC, an option to not have Windows be the gatekeeper for 1P at all.
Let me see about turning off Windows Hello permanently. I never liked this dumbing down of PCs to PINs in the first place....
Thanks for your patience, as always!
0 -
Ha... maybe this is a quirk you can work with? I went to turn Hello off, and it tells me Hello isn't available on this device. It turns out that I have PIN running only. Does that make a difference to making it an option?
0 -
Hi @leesweet,
Well, technically, Windows isn't the gatekeeper, you still have to unlock with your master password and Windows isn't getting your master password, only a unique one-time key per "session".
But you can understand why we're trying to have this discussion, it's not because we don't want to do this or we don't want to add this setting, we're trying to understand the various use cases and so far, hearing that two people have access to the same account is very dangerous. Now, unintentional shoulder surfing is a different use case that does seem...a bit more risky.
We do want to find a way to force Windows Hello to accept biometric only, like no PIN code but fingerprint/face is okay but Windows doesn't give us that control.
0 -
The point I was trying to make that a 20-30 character MP is a lot harder to pick up watching someone enter it than a four number PIN. So, I think a lot of people would rather not have the latter be an equivalent. It also may be hard to use another password in lieu of the PIN, since you have used the PIN so many times you may not have it anywhere except in 1P!
So, the question comes down to, can that be done? By option, if for some reason, some people want it. I would think many people would want to use this option when they have the PIN activated.
And I differ that Windows isn't the gatekeeper when a Windows PIN is what can be used to let you in, one-time key or not.
0 -
Hi @leesweet,
You are not limited to four digits though:
The problem is that enabling support for Windows Hello enables all authentication you have; Microsoft moved PIN into Windows Hello, so you can switch between fingerprint, facial, eyes, PIN, etc. It's all part of the same authentication subsystem and there's not much control we have over this.
0 -
Yep, see that now. Guess we are stuck with it. :) I guess the point would be to use a good one(s) that can't be picked up easily!
0 -
Or use a diceware to type a 3-4 word fast enough.
0 -
Good idea, then we're in master password territory (almost)!
0 -
Yep, that's what I generally use on my systems without Hello. No lower/upper case or anything that's easy to mistype when typing fast. As long as it is random string of words, it should be easier but not that complex where you'd be frustrated quickly.
Don't forget to store it in 1Password in case you forget. :)
0 -
Here's my personal problem with not being able to deactivate authentication with windows hello:
I have a PC that I need to access in rooms where there are many people. that means that typing my PIN (no matter how long) is something that can be easily seen by shoulder surfing, and though I definitely try my best to conceal it, I would like my passwords to be protected by a second layer of security (like my master password that on purpose I make much more complex) between my PIN and my passwords. I type my PIN many times a day. I type my 1password MP with a frequency an order of magnitude smaller than that.
This means that the probability of someone catching my PIN is much higher than someone catching my MP and I would like to keep it that way. I would not want someone who captures my PIN despite my protections efforts to automatically bypass the second layer of security between that and my important passwords.
I hope this helps motivate why for me being able to deactivate windows hello authentication in 1password is crucial.
0 -
Hi @Qutrit,
We do understand that specific use-case, however keep in mind that once they do get your PIN, they can compromise your account to the point that it doesn't matter that you have a stronger master password in 1Password, there is no second layer involved, sadly. As much as we want to make it happen, there are too many OS limitations and the current design of OS does not permit this type of isolation. Once a Windows account is accessed, nothing in it may be safe.
Locking the system down whenever you leave the computer is far more vital to your security than disabling Windows Hello within 1Password.
We'll look for a solution and talk to Microsoft, they need to add more APIs to allow users to opt-out for each app.
0 -
Well.. you say you need new apis to implement an optional windows hello... But for example the uwp dropbox app allows for exactly that.
0 -
To still stand by my point... On iOS I can also enable or disable touch id for 1password which in this case functions exactly the same like windows hello. So theres that.. :lol:
We'll see what you guys come up with! :)
0 -
Yes because we can store a unique hash of your master password in a secure hardware chip (Secure Enclave via Touch ID) designed to store the secrets. Windows Hello can be used without TPM, therefore at this moment, we will never store anything on your hard drive. Until there is a verified secure way of confirming that we can store the said hash on disk (we’re still talking to Microsoft about this), 1Password on Windows will always require you to unlock with master password first, unlike 1Password on your iOS device.
In a perfect world, we would like to limit Windows Hello support to only hardware with TPM chip included and to allow folks to opt-out of PIN while leaving biometric alone.
Prior to Touch ID, we did exactly the same, you must unlock with master password first and PIN unlock can only be used until 1Password terminates, just like 1Password 7 for Windows. And yes, you had an option to disable quick unlock, iOS has a much more locked down (secure) system compared to Windows. A different process or user cannot get into 1Password to undo or redo something like you can on Windows.
We do not take this decision lightly, we do investigate and consider everything to make it easy to use 1Password without weakening the security. But every platform have limitations and it will not be possible to replicate the same experience across all platforms.
0 -
Hi guys,
Check out today's update (7.0.539 Beta 5), you can now opt-out of Windows Hello in 1Password Security settings.
0