Using Windows Hello

This discussion was created from comments split from: The process was terminated due to an unhandled exception.
«13

Comments

  • KenBonny
    KenBonny
    Community Member

    At this moment, the Windows Hello doesn't seem to be working for me. I set up my laptop with an external fingerprint reader and I can unlock my pc like that. But when I lock 1Password For Windows 7, select the password field (to unlock 1Password) and swipe my finger over the scanner, nothing happens.

    Am I doing something wrong?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @KenBonny: It sounds like Windows Hello isn't supported with your setup. Once you've unlocked using the Master Password the first time while 1Password is running, you should see the Windows Hello "eyeball" icon (I guess that's what it's supposed to be) to the right of the Master Password field:

    Clicking that just hands off to Windows to handle the rest. It sounds like you may be using an external fingerprint reader that you installed yourself, so I wonder if that just isn't fully compatible or needs a different driver. What is it exactly?

  • KenBonny
    KenBonny
    Community Member
    edited February 2018

    I do get the eyeball next to the login form and I do have an external fingerprint reader plugged into my laptop. It normally is compatible with Windows 10 because I use it to log into my laptop. I could set up Windows Hello without additional drivers. Maybe I'll need those drivers for 1Password functionality.

    Fyi, I'm using the Eikon Mini USB fingerprint reader.

    EDIT - I double checked, I have Windows Hello configured. There are no external drivers for this fingerprint reader. I just plugged it in, windows did some magic and I could use the external reader to configure Windows Hello.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited February 2018

    I do get the eyeball next to the login form and I do have an external fingerprint reader plugged into my laptop. It normally is compatible with Windows 10 because I use it to log into my laptop. I could set up Windows Hello without additional drivers. Maybe I'll need those drivers for 1Password functionality.

    @KenBonny: Thanks for clarifying. That really sounds lie it should work, if Windows has native support for it.

    Fyi, I'm using the Eikon Mini USB fingerprint reader. EDIT - I double checked, I have Windows Hello configured. There are no external drivers for this fingerprint reader. I just plugged it in, windows did some magic and I could use the external reader to configure Windows Hello.

    Thank you for double-checking. I'll poke some people and see if there might be something else required. Thanks for your patience!

    Edit: After re-reading, I wonder if this is just a misunderstanding. You mentioned seeing the Windows Hello eyeball icon, but not that you're doing anything with it. There are two ways to activate Windows Hello to unlock 1Password:

    1. Click the "eyeball" icon to invoke it
    2. Press Enter without typing anything in the Master Password field

    Either of these will invoke Windows Hello and then it should read any input it supports.

    If you're still having trouble, can you tell me exactly where it is failing for you and what you're seeing when it does?

  • KenBonny
    KenBonny
    Community Member

    As a developer, I understand the pain of alpha/beta software. You're doing a great job with community feedback. :+1:

    I thought I had to select the password input field and then swipe my registered finger over the password scanner and it would unlock.

    Unfortunately, I tried clicking the eyeball icon and pressing enter in an empty password field, but nothing happened.

    Something else I think of now: I'm on a Windows 10 Professional. Could it be that the alpha application is not allowed to access Windows Hello? The policy for devs here is very lax and I have admin rights on my own machine, so I can fiddle around with settings if you want to check something. Or maybe it's because I'm a domain user and not a local or Microsoft account.

    Another thing I tried is to run 1Password as administrator, but that didn't change anything either.

  • AGAlumB
    AGAlumB
    1Password Alumni

    As a developer, I understand the pain of alpha/beta software. You're doing a great job with community feedback. :+1:

    @KenBonny: Thank you! That's very kind. But honestly it's super fun for us as nerds. I wish it was less painful for users...but then again if you're running alpha software you knew what you were getting into! :lol:

    But in all seriousness, looking forward to stabilizing things so there are fewer sharp edges, and final release so that everyone can take advantage of the new features. :chuffed:

    I thought I had to select the password input field and then swipe my registered finger over the password scanner and it would unlock. Unfortunately, I tried clicking the eyeball icon and pressing enter in an empty password field, but nothing happened.

    Thanks for confirming! Just wanted to make sure we're on the same page there. It absolutely should bring up Windows Hello when you press Enter or click on it. We'll get to the bottom of this.

    Something else I think of now: I'm on a Windows 10 Professional. Could it be that the alpha application is not allowed to access Windows Hello? The policy for devs here is very lax and I have admin rights on my own machine, so I can fiddle around with settings if you want to check something. Or maybe it's because I'm a domain user and not a local or Microsoft account. Another thing I tried is to run 1Password as administrator, but that didn't change anything either.

    You definitely don't need admin rights. That was high on our wishlist with 1Password 6 due to feedback from customers running locked down company PCs.

    ...

    I hate to do this to you, but as this is clearly a separate issue, I'd like you to try invoking Windows Hello again — both ways, clicking and pressing Enter in the empty Master Password field — and then send some diagnostic info:

    https://support.1password.com/cs/windows-log/

    https://support.1password.com/diagnostics/

    Please send them to support@agilebits.com and add this new Support ID (including the square brackets) to the subject of your diagnostics email before sending:

    [#BCK-89464-325]

    If you’re reading this and you are not KenBonny, this Support ID is for KenBonny only. Please ask us for your own if you also need help.

    This will link those diagnostics to this discussion, so we can keep the two issues separate. Thanks!

    ref: BCK-89464-325

  • AGAlumB
    AGAlumB
    1Password Alumni

    @KenBonny: After discussing this more, I think this may be due to your domain. Earlier you mentioned that, and it may be that something in the group policy is preventing it from working. 1Password is just calling Windows Hello when you invoke it, and at that point it's out of our hands. So it sounds like something is either preventing 1Password from getting through to Windows Hello, or Windows is configured to not respond. I wonder if you'd be able to try it with a local user account.

  • KenBonny
    KenBonny
    Community Member
    edited February 2018

    I have sent the diagnostics to support@. Since there were no logs after 19/2 in the Applications and Services Logs > 1Password, I added the failed logs from Application Logs instead.

    Also, I can edit almost all of my settings, but I cannot create a local user. So I can't do that experiment.

    Are there any settings in Windows Hello (or in the registry or group policy) that I need to enable to get Windows Hello integration to work?

    ref: BCK-89464-325

  • AGAlumB
    AGAlumB
    1Password Alumni

    @KenBonny: I really appreciate it! We'll take a look and see if there are any clues there. I don't believe there is anything you can change locally if it's managed by the domain, but I'll double check with the team here before getting back to you via email.

  • KenBonny
    KenBonny
    Community Member

    Hehe, of all the things you could ask of me, creating a local user is not something I can do. I can change any setting on my own profile, but I cannot create new profiles. I've checked with the

  • Hi @KenBonny,

    It looks like your message has been cut off. Could you repeat what you were going to say at the end?

  • KenBonny
    KenBonny
    Community Member

    I can't remember what I wanted to say. I cannot create a local profile, but I can edit all settings within my profile at work. So I can change the domain settings. That's how I got Windows Hello to let me log in with a fingerprint scanner. Maybe I need to enable another setting in Windows Hello (maybe something in the registry?) to allow 1Password to communicate with Windows Hello. Some setting on the Windows side that could block third party tools to access the credential manager.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @KenBonny: No worries! I'm not confident that there's anything we can do about this since Windows Hello is controlled solely by the OS, but perhaps there's some workaround you could use. Let's continue the conversation via email. Thanks again! :)

  • KenBonny
    KenBonny
    Community Member

    Ok. :+1:

  • Thanks!

  • GoShawn
    GoShawn
    Community Member

    I am using 1P 7.0.519 on a Lenovo Yoga 920 running Windows 10 1709 (Build 16299.125) and I am also not able to get Windows Hello to work with the login to 1Password Mini or the main app.

    I have my Windows Hello Pin and fingerprints setup. Fingerprint reader is a Synaptics WBDI - SGX.

    Not sure if it's related, but when I try to enable the SGX feature of 1P 7 for Windows, I get a message saying that the version of SGX that's already installed is later (newer) than the one that 1Password was going to install.

    Is Windows Hello based on SGX and is it version dependent?

    Thanks,

    //Shawn

  • Hi @GoShawn,

    Thanks for writing in.

    Is this a work computer or more specifically, is it part of a domain?

    Not sure if it's related, but when I try to enable the SGX feature of 1P 7 for Windows, I get a message saying that the version of SGX that's already installed is later (newer) than the one that 1Password was going to install.

    1Password should detect that SGX is available and ask if you want to enable it. It sounds like SGX is not available on your computer if it is showing you the Intel's SGX installer. Please check the system's BIOS to confirm SGX is turned on, SGX is required to be enabled in all levels from BIOS > Windows > 1Password.

    Is Windows Hello based on SGX and is it version dependent?

    Windows Hello and Intel's SGX are two separate things, they're not related. Windows Hello merely authenticate that you have access to this computer and 1Password will then unlock for you. SGX stores a derived local key into isolated memory/storage slot for 1Password and blocks any external access to it, only 1Password can access that slot.

  • GoShawn
    GoShawn
    Community Member

    Will verify again. I did enable it using the Novo button to access the bios. Thank for the suggestion.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Sounds good. Let us know how it goes. :)

  • moorhuhn
    moorhuhn
    Community Member

    I have exactly the same problem. I'm using a Lenovo ThinkPad with integrated fingerprint reader. Windows Hello works fine. But 1Password does not. The 1Password lockscreen shows the Windows Hello icon. But neither clicking on it nor pressing enter on the empty password field causes any action.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @moorhuhn: I'm sorry to hear that. Unfortunately it isn't something we have control over: 1Password just asks Windows Hello to authenticate. That's all the button does. I'm not sure why nothing would happen in your case. Was it working for you in a previous alpha? Have you completed all updates and restarted Windows?

  • Cartman
    Cartman
    Community Member
    edited March 2018

    The original posters prob is almost def due to AD domain security. Windows hello has quite a number of group policies that can be configured in an Active Directory domain. I recall one setting specific related to allowing fingerprint readers separate from other methods.

    To make matters worse there are different support conditions depending on if you are using traditional on prem AD or Azure AD. Although it can sometimes be made to work (not sure the exact way) with traditional AD Windows Hello generally is not yet supported. There is a thread i have been monitoring (it's been a few months) on getting traditional AD to work with Windows Hello but I have honestly gave up hope and will be planning to move to Azure AD sometime in the future for our corp users. Fortunately most of them don't know what their missing not being able to use Windows Hello so they are not at the door with pitch forks yet.

    Edit: I recall support for Windows Hello breaking on Win10 with one of the "feature updates". It used to work before and I think works still if you had it working before updating. It has been a while so I'm sorry about the lack of specifics.

  • moorhuhn
    moorhuhn
    Community Member

    Was it working for you in a previous alpha? Have you completed all updates and restarted Windows?

    It didn't work in previous alphas and windows is uptodate. I just hoped that this is a bug that will be fixed in the future...

  • AGAlumB
    AGAlumB
    1Password Alumni

    The original posters prob is almost def due to AD domain security. Windows hello has quite a number of group policies that can be configured in an Active Directory domain. I recall one setting specific related to allowing fingerprint readers separate from other methods.

    @Cartman: Ah, indeed. That does add some wrinkles to it.

    To make matters worse there are different support conditions depending on if you are using traditional on prem AD or Azure AD.

    I was not aware of that. Thank you! :dizzy:

    Although it can sometimes be made to work (not sure the exact way) with traditional AD Windows Hello generally is not yet supported. There is a thread i have been monitoring (it's been a few months) on getting traditional AD to work with Windows Hello but I have honestly gave up hope and will be planning to move to Azure AD sometime in the future for our corp users. Fortunately most of them don't know what their missing not being able to use Windows Hello so they are not at the door with pitch forks yet.

    I think we're in the same boat here since Windows Hello is still new to 1Password. :lol:

    Edit: I recall support for Windows Hello breaking on Win10 with one of the "feature updates". It used to work before and I think works still if you had it working before updating. It has been a while so I'm sorry about the lack of specifics.

    I don't recall the myself, but I may have just been one of the lucky ones. Either way, thank you for sharing your experience!

  • AGAlumB
    AGAlumB
    1Password Alumni

    @moorhuhn: Thanks for getting back to me. That makes sense to me as I wasn't aware of anything we'd changed in that area, but I just wanted to double check. Unfortunately as I mentioned earlier this is handled entirely by Windows. Do you have any Group Policy settings that may be interfering? We'll continue to look into our options, but there isn't much involved in supporting Windows Hello in the app, apart from just using the APIs Microsoft offers for it. :(

  • moorhuhn
    moorhuhn
    Community Member

    Do you have any Group Policy settings that may be interfering?

    I don't know, how can I check this? Does there also exists an error log somewhere, that may give some hints?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @moorhuhn: If you have to ask, then you're probably on a company computer...and then it's probably not a good idea to go poking around in the policy editor or registry. Is that the case?

  • moorhuhn
    moorhuhn
    Community Member

    Yes, I'am on a company computer but I'm a local admin in case that matters. We're thinking about using 1Password with fingerprint reader in our company and I'm currently testing it. If I know the conflicting policy settings, I can ask the admin for a change. Shouldn't be a problem.

  • @moorhuhn,

    Unfortunately, we don't have that information. This guide from Microsoft may help: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azureadjoin-passport-deployment

    It is possible that they're enforcing some hardware features that your computer doesn't have and it kills Windows Hello support within 1Password.

    There aren't any logs for us since it's out of our control, we pass the request to Windows that we need it to authenticate you and the only two possible answers are: authorized or not authorized. There isn't much more we can customize or work with.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @moorhuhn: Probably not something you'll have access to, but you could try Group Policy Editor > Computer Configuration (or User) > Administrative Templates > Windows Components > Windows Hello for Business. Cheers! :)

This discussion has been closed.