[Feature Request] Windows Hello on Start Up

Hi,
I hope you guys are doing okay and thumbs up for the fantastic work @1Password !

I have requested this feature quite a while ago but I would like to ask for it one more time.

On Mac, iOS and Android devices, you can easily unlock using biometric features such as fingerprint scanner.
However, on windows, I always have to type in my master password before I could unlock it with windows hello.
I would really appreciate if 1Password team could consider implementing windows hello on desktop start up.

The following is my request quite some time.

========================================================================================
Hi, I have been a long time 1Password user and I would like to request a security feature.

Every time I start my computer I type in somewhat long and painful password to use 1Password.
I already enabled unlocking 1Password using Windows Hello but since the computer I use is private and I am the only one who has access to it,
I never lock 1Password in any way until I shut down my computer.

I love the idea that I can use Windows Hello if I were to unlock it again but it simply does not apply to me.

I'd really appreciate if I could unlock 1Password using Windows Hello on start up instead of typing my master password.
I understand the security concerns behind the idea however, for someone like me who has zero concerns for someone else's access to my
personal computer, it would be a life saving feature.

P.S thanks for all the great work during hard times :)


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hey @dwk 👋

    I wanted to let you know that I definitely understand where you're coming from, but I think this might be a good chance to at least explain where our current stance is on things. You may know some of this stuff already so forgive me if I'm being repetitive, but I don't want to gloss over anything either so I'm erring on the side of too much detail over too little.

    You see, only your Master Password (or, more accurately, your Master Unlock Key which is derived from a combination of your Master Password and your Secret Key) can unlock 1Password. Unlocking 1Password isn't like signing into a website. When you sign in to most sites, what you're doing is proving that you're you. You provide something the site believes only you have and it says, "Great, thanks, here's you're stuff!" This can be your actual password or it can often be something else you and the site have agreed is equivalent to your password, like a token showing you've signed into an account using SSO.

    1Password, on the other hand, is actually incapable of giving you your stuff unless you explicitly give it your Master Password. Your Master Password may be viewed as proving you're you, but it is also the missing piece in the math equation that allows 1Password to decrypt your data and transform it from random blobs to the stuff you see in your 1Password apps. If you give it anything other than your Master Password, the math won't work and 1Password can't unlock.

    There is simply no getting around storing your Master Unlock Key if we want Hello to work.

    With that said, there isn't a genuine objection to storing that key, to be honest with you. It's something that needs to be done to make always-on Hello work and we already do this for Touch ID on Mac and iOS as well as temporarily for allowing Windows Hello at all. The issue isn't that we don't want to do that, it's that if we're going to store that Master Unlock Key persistently, rather than only while 1Password is running, we need to be extra sure we're choosing an adequately protected location that will be available regardless of hardware.

    Windows provides a number of possible options here so the remaining task is to do our due diligence and make sure we're make a solid and secure choice that fits our criteria.

    So, in short? We'd be thrilled to have Windows Hello work during login, but taking that step takes some time so it's a matter of the stars aligning where everyone who needs to give such a location the thumbs up has the time to dig in.

    The security team, in particular, often has a lot of demands on their time so these sorts of decisions often don't get made quickly and probably universally take longer than our customers would like. But, these things are on our radar and we're continually monitoring for that chance to get it done. I won't say it will happen any time soon - it may not - but you can at least rest assured that there's no fundamental objection to having Hello work out the gate. We just want to be extra sure we're handling it properly and that takes time.

    Apologies for the wall of text, but I just wanted to let you know that we're definitely on the same team, and your voice is certainly heard here. 💙

  • dwk
    dwk
    Community Member

    Wow that's a lot of explantion and I mean in a good way :)

    I completely understand why it is not implemented and that I am not being ignored!

    Thumbs up!

  • On behalf of my friend Blake, you're very welcome @dwk! Feel free to reach out if we can help out further. :chuffed:

This discussion has been closed.