Security inconsistencies between 1Password on Windows and macOS

On macOS, 1Password allows both the use of Touch ID and the Apple Watch security integration. However, on Windows, you cannot use Windows Hello to unlock until you have already entered your Master Password once this session.

This is an inconsistent implementation of security protocols between the two apps. Really, it should be the user's choice of whether or not to allow biometrics to be used as the first point of entry in a session - just as it is with macOS, iOS and iPadOS.

Can this be requested as a change from the Windows development team?


1Password Version: 7.7.810
Extension Version: 2.0.4
OS Version: Windows 10 Pro 64-bit 21H1
Sync Type: Windows

Comments

  • Blake
    edited June 2021

    Hi @Oliver_Saer 👋

    This isn't necessarily an inconsistent implementation, but rather an intentional choice we made when implementing Windows Hello capabilities into 1Password for Windows.

    In-short, unlike modern Mac's, where Secure Enclave allows us to let folks use Touch ID between restarts of the machine -- there's no equivalent for this on Windows devices, leaving us without a secure place to store the data needed to keep Windows Hello as an always-on login option.

    Trust me, we'd love nothing more than to make this possible, but until we're able to do so without compromising our customers security by storing unencrypted sensitive data to do so, these are the limitations we have in place.

  • Oliver_Saer
    Oliver_Saer
    Community Member

    Hi @Blake

    Thanks for clearing this up.

    I understand that the Secure Enclave does guard against vulnerabilities with regards to storage and access of biometrics data, however does the Trusted Platform Module on Windows not amount to an equivalent?

    I understand that some modern CPUs have this built-in, but one would think this would be little different to how Apple handles the Secure Enclave on the M-series Macs?

  • Blake
    edited June 2021

    While I can't personally say that the TPM found in some modern Windows devices fits the bill fully, I do know we have done some digging into how we might utilize it, if it so happens to do what we need it to.

    The big challenge lies in that, just as you mentioned, "some modern CPUs have this built-in" -- but not all of them, and we haven't found a way to limit always-on Hello only to systems with TPM available specifically. So, even under the assumption that TPM does the trick, we've not yet found a tidy way to allow always-on Hello with TPM without allowing it globally.

    This is definitely something on our radar, but seeing as this landscape is still rapidly evolving, we want to do more research before we consider this.

This discussion has been closed.