1PW 7 7.532 - No Windows Hello unlock option after rebooting
Hey There,
first of all, thanks for implementing windows hello in the latest version, really appreciate it. After I've set this up yesterday, it worked like a charm (and actually still is).
AFter I've booted my windows desktop this morning, I didn't see the windows hello option to unlock 1pw. I first had to login by using my master password and after 1pw was locked the next time, the option showed up. Now my question is, is this expected behaviour ?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @Tundor,
Thanks for writing in. I'm glad to hear that is working like a charm for you.
This is intentional. Each time 1Password is terminated, such as rebooting or going to the 1Password Menu > Exit, you'll have to unlock with your master password first before Windows Hello is enabled, the Master Password is always required to unlock the initial launch of 1Password.
0 -
@MikeT Would it be possible to add an option to allow logins from Windows Hello, without having to type the Master Password first, even after 1Password has been terminated?
In my opinion this would make the Windows Hello feature way more useful, as (for me at least) computers are shut down quite frequently.0 -
Hi @Emoyly,
Thanks for writing in.
We agree, it would make it more useful but is it safer? We're not confident about that right now, we need to more investigations about how to safely store your unique device decryption key that Windows Hello will use.
Keep in mind you're effectively asking us to replace the entire security of 1Password with Windows' Hello biometric security, which isn't as strong as a password. You can simply tell Windows Hello to downgrade itself to PIN code anytime, which makes it even weaker. That's why we don't want to do this at all.
0 -
Hi @Emoyly,
We hope so but your suggestion is also problematic because we need a way to store the setting securely, so that if you opt out of this, no one can opt it back in without your permission. How does 1Password know you want or do not want to unlock via Hello without the master password to decrypt the encrypted settings? We wish it could be simple.
0 -
Hi, I was also thinking about this behaviour and by my opinion it is much safer not to allow to use Windows Hello for the first login. In case when somebody breaks through Windows Hello, then he would have direct access to your vaults. Also admin can override your password, setup Windows Hello again and then he would access 1Password like a charm. I would welcome an option to have some kind of PIN to quickly access 1Password for the first time. The user can have a very limited number of retries (e.g. 3). The PIN shouldn't allow to open 1Password directly, but should be sent to 1Password cloud server, where it will be evaluated and return a decryption key on success, which will be used to decrypt a local key used to open 1Password. On the third wrong attempt the cloud should destroy the decryption key, so the local key became useless. To strengthen security after each successful login the local and decryption keys might by changed.
:+1: From the view of a user he will have to enter his master password only once and then setup a PIN, if he finds this secure enough for him. The amount of necessary extra data exchange will be negligible and it will allow users to have much stronger master passwords. In corporate environment it is also much easier to hide entering of a PIN by user's palm than to hide entering of complex password using a full keyboard layout.
:-1: The bad side effect is that the less a user is pushed to enter the master password, the more is probable he will forget it...0 -
Hi @oksoftware,
That's pretty much why we're very cautious about that part. There are too many questions that needs to be investigated throughly. Unlocking 1Password with master password first time would ensure you're the one accessing it and afterward, you can use Hello or now with 1Password 7 Beta 5, you can opt out of Hello.
. Also admin can override your password, setup Windows Hello again and then he would access 1Password like a charm
This is one of the reasons why we have no problems with Touch ID. In this situation, the fingerprint data would invalidate automatically any temporary keys used by 1Password. In other words, Touch ID informs when the fingerprint data has changed and we wipe out all keys.
I would welcome an option to have some kind of PIN to quickly access 1Password for the first time.
This is not going to happen, a PIN of 4 can be cracked within minutes and 6, hours, and so on. By the time where it is reasonable, you'd be better off with a strong master password. At this point, you'd be better off using Windows Hello that supports PIN anyway.
The user can have a very limited number of retries (e.g. 3).
A simple clone of the hard drive can bypass any retries limitations but...
The PIN shouldn't allow to open 1Password directly, but should be sent to 1Password cloud server, where it will be evaluated and return a decryption key on success, which will be used to decrypt a local key used to open 1Password.
The whole point of 1Password.com service is that we have no access to any keys, all of the decryption is done locally. We use SRP to authenticate you without having any access to both your master password and secret key, which is only accessible once you unlock 1Password first.
How do you suppose we protect the keys on our service? It cannot be encrypted with your master password/secret key anymore because the point of PIN is to bypass them.
By doing this, it would expose us several avenue of risks, including regulations and lawsuits. Someone could sue 1Password.com to get access to the said decryption keys as well, they just need to copy our database, remove the retry limitation and then run a simple brute attack on the database offline. At this point, we're never going to allow any kind of keys to be stored on our services.
0 -
Hi @MikeT,
I fully agree to keep all keys out of 1Password cloud and my solution shouldn't break that rule. The idea is to have a local key in the local system, but strongly encrypted by a key stored in the cloud. The decryption key (or "password") for the local key should be accessible from 1Password cloud after PIN confirmation. The real mechanism can be much more complicated and all communication should be encrypted. Accessing the key stored in the cloud won't allow an attacker to decrypt any vault. A clone of the hard drive will be also useless when 1Password cloud destroys decryption key associated with the PIN on the third wrong attempt. And direct access to 1Password cloud data gets nothing usable. I think it is worth nothing do deeply describe possible solution, but I hope your security specialist can imagine the scenario.The only two weaknesses of the system I can image:
1. a scenario when the attacker will have direct access to both 1Password cloud data and admin access to the local machine. In that case he can use brute force to access the vault, or
2. when some official authorities will confiscate someone's computer and they will force you to give them those keys. Then they can use a brute force to decrypt the local key and to access the vaults in short time.But I don't think those scenarios are too important, because when someone will really want to know a master password of a particular user and will have an access to his computer, he can always install some kind of software or hardware key logger. Only very few users secure their computers at an appropriate level, i.e. secure BIOS with boot logon, secure whole HDD by HW encryption at BIOS level, use secure keyboard (with BIOS support), have a computer case equipped with a sabotage contacts, work in shielded room only etc. The master password is great, but not bullet proof security element. It's a reason why many services allow to use PIN for several attempts to log on. If it is well implemented, it can even strengthen the security, because it is easier for masking (e.g. by palm when entered) and can be easily forgotten (by the security system). It is a procedure not applicable to master password.
I am convinced that applications like 1Password must offer some kind of compromise between the security and user experience. An option to use PIN can improve user's experience with a very small degradation of the security, if ever. And I also think we all spent to much time by this topic. The idea has been described and it's up to you, if you will investigate it or not. I can live without PIN, because I am used to type my long master password so often that I don't event think about it, my fingers just type it automatically in a second.
0 -
@oksoftware: I'd agree we've delved a bit deep here and would benefit from getting back to the core of this whole discussion which is that folks want Hello to work (whether PIN or otherwise) without first unlocking with your Master Password on each restart. I think we're getting tied up in exactly how to do this and forgetting the fact that this is already something we want to do, we just aren't doing it now. We've got a number of things to button up for 7.0, along with a litany of other improvements we'd like to add in time for the official release if we can swing it, including allowing unlocking with Hello without the restart restriction. We do tend to be overly cautious with these kinds of features and we might be slower than many folks want as we do enough research to be comfortable with our chosen solution, but we'll get there. :chuffed:
0 -
Hi, what I would like to see much more is a secure desktop for main password entry. It has happened to me with 1Password 7 several times that I thought I am entering the password into 1Password but the focus was in a different window below it.
0 -
@oksoftware: Secure Desktop unlocking (like in 1Password 4) is on the list as well. It's not likely to make the 7.0 cut, but it's something we do want to add. :+1:
0
