1Password8/Windows and Windows Hello on first signin?

Hi! I'm trying to figure out why manually entering my master password is required on first run of the 1Password 8 app on Windows, and Windows Hello can only be used after initial sign in when 1Password relocks. On iPhone/iPad (and maybe Mac?), you can use FaceID for the initial sign in. Is that difference intentional (it seems like it from the release notes), and if so what is the reasoning?


1Password Version: 8.2.2
Extension Version: Not Provided
OS Version: Windows 11


  • PeterG_1PPeterG_1P

    Team Member

    Hi @millercentral, thanks for this question!

    The difference is indeed intentional, and your comparison between Apple and Windows products is an informative one. Here's a little more about that, our current thinking, and what might come next.

    On Apple products, there is a physical system built into the device called the Secure Enclave - you can read more about it at the link, but to borrow from Apple's official documentation:

    The Secure Enclave is a dedicated secure subsystem [...] The Secure Enclave is isolated from the main processor to provide an extra layer of security and is designed to keep sensitive user data secure even when the Application Processor kernel becomes compromised.

    In other words, Apple has provided a standard method for storing sensitive data between reboots. This includes your FaceID / TouchID data. πŸ‘

    On the Windows side, there is a rough equivalent to this, called the TPM. While relatively common in business settings, it still isn't used across large swaths of the PC ecosystem. What this means in practice is that 1Password doesn't uniformly have a secure place to store a cryptographic secret on-disk (besides, uh, in our own app, which doesn't help when that's the thing you're trying to unlock. πŸ€”).

    So you end up with a situation where the choice is either:

    1. Leave a cryptographic secret (which is used to unlock Hello) on a disk that is likely not encrypted (bad)
    2. Require the account password the first time a user logs in

    However, TPM adoption is likely to increase with Windows 11, and we're very interested in how we might bring Secure Enclave-like functionality to the Windows platform. I don't have anything specific to share on that at the moment, but it's definitely on our radar!

    I hope that makes sense. Let me know if this answers your question, and thanks for taking the time to bring it up πŸ˜€

  • It does, thank you for the response. I'm running Win11 (with TPM active), so if there is a Win11-specific opportunity here I'm all for it and sign me up to test. :)

  • ag_anaag_ana

    Team Member

    Thank you for this @millercentral :+1: And on behalf of Peter, you are very welcome :)

  • @PeterG_1P Is it not possible to check if TPM is active and store the secret there? That way, those of us who have TPM can use Hello even after initial sign in?

  • PeterG_1PPeterG_1P

    Team Member

    @pratnala it may be possible, but my understanding is that TPM usage wasn't something we were seeing much of overall on the Windows side. We expect that to change soon, though, and again are very interested in matching the ease of use already made possible by Secure Enclave on Apple hardware. πŸ˜€

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file