1Password8/Windows and Windows Hello on first signin?

Hi! I'm trying to figure out why manually entering my master password is required on first run of the 1Password 8 app on Windows, and Windows Hello can only be used after initial sign in when 1Password relocks. On iPhone/iPad (and maybe Mac?), you can use FaceID for the initial sign in. Is that difference intentional (it seems like it from the release notes), and if so what is the reasoning?

Thanks!


1Password Version: 8.2.2
Extension Version: Not Provided
OS Version: Windows 11

«1

Comments

  • Hi @millercentral, thanks for this question!

    The difference is indeed intentional, and your comparison between Apple and Windows products is an informative one. Here's a little more about that, our current thinking, and what might come next.

    On Apple products, there is a physical system built into the device called the Secure Enclave - you can read more about it at the link, but to borrow from Apple's official documentation:

    The Secure Enclave is a dedicated secure subsystem [...] The Secure Enclave is isolated from the main processor to provide an extra layer of security and is designed to keep sensitive user data secure even when the Application Processor kernel becomes compromised.

    In other words, Apple has provided a standard method for storing sensitive data between reboots. This includes your FaceID / TouchID data. 👍

    On the Windows side, there is a rough equivalent to this, called the TPM. While relatively common in business settings, it still isn't used across large swaths of the PC ecosystem. What this means in practice is that 1Password doesn't uniformly have a secure place to store a cryptographic secret on-disk (besides, uh, in our own app, which doesn't help when that's the thing you're trying to unlock. 🤔).

    So you end up with a situation where the choice is either:

    1. Leave a cryptographic secret (which is used to unlock Hello) on a disk that is likely not encrypted (bad)
    2. Require the account password the first time a user logs in

    However, TPM adoption is likely to increase with Windows 11, and we're very interested in how we might bring Secure Enclave-like functionality to the Windows platform. I don't have anything specific to share on that at the moment, but it's definitely on our radar!

    I hope that makes sense. Let me know if this answers your question, and thanks for taking the time to bring it up 😀

  • millercentral
    millercentral
    Community Member

    It does, thank you for the response. I'm running Win11 (with TPM active), so if there is a Win11-specific opportunity here I'm all for it and sign me up to test. :)

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for this @millercentral :+1: And on behalf of Peter, you are very welcome :)

  • pratnala
    pratnala
    Community Member

    @PeterG_1P Is it not possible to check if TPM is active and store the secret there? That way, those of us who have TPM can use Hello even after initial sign in?

  • @pratnala it may be possible, but my understanding is that TPM usage wasn't something we were seeing much of overall on the Windows side. We expect that to change soon, though, and again are very interested in matching the ease of use already made possible by Secure Enclave on Apple hardware. 😀

  • PeterG_1P
    edited February 2022

    Hi @millercentral @pratnala , we have an update for you!

    In the latest Beta (8.6.0-43) we have brought TPM support to our Windows Hello integration, enabling you to unlock with Windows Hello after restarting 1Password or rebooting your machine. 🥳

    If you're interested to give it a try, we'd love to have your impressions of the new feature!

    https://1password.community/discussion/127435/beta-6-of-the-year-is-now-available#latest

    Thanks again for providing the initial feedback, as well. It's requests like these that continue to drive our improvements going forward.

  • pratnala
    pratnala
    Community Member

    Wow, this is great!

  • BSi
    BSi
    Community Member

    Hi @PeterG_1P , that's great news, I've tried to turn it on right away in the new beta, however the option to use TPM is grayed out for me and it seems I cannot change this setting, even after restarting 1PW multiple times.

    My PC have TPM 2.0, so I guess that shouldn't be the issue. What should I check to get the bottom of this grayed out option?

  • pratnala
    pratnala
    Community Member

    @PeterG_1P Just tried out the beta and it works great for me!

  • @pratnala - that's fantastic, thank you for the confirmation!

    Sorry to hear this, @BSi - may I ask what kind of processor you're using? We definitely want to track down any issues folks are having with this and provide as wide a base of support for this feature as we can.

  • pratnala
    pratnala
    Community Member

    @PeterG_1P I must add that I had to restart a couple of times for it to work right after reboot. It said something about windows hello getting reset.

  • BSi
    BSi
    Community Member

    @PeterG_1P it's an i7-7700HQ

  • MikeT
    edited February 2022

    Hi @pratnala,

    Thanks for letting us know.

    The Windows Hello has been reset message happens when the app sees different data back from Windows Hello (TPM actually) compared to the previous Windows Hello attempts.

    It usually happens when there is a Windows update or something else has changed in the hardware stack (drivers, system crashes, etc) that caused 1Password to fall back to the account password. Sometime a reboot is required to "fully clear" it and to let it work from there on until the next Windows update.

  • Thank you @BSi - we'll make sure to note this and use it to inform our next phase of troubleshooting. Sorry it hasn't worked for you on the first go!

  • Hi @BSi,

    Can you confirm that Windows is reporting TPM 2.0 is enabled for your CPU? Here's how to check for TPM 2.0 status: https://support.microsoft.com/en-us/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c

    According to Microsoft's Windows 11 docs here, that CPU is not on the supported list, it is possible that your CPU is not supported for our feature as well.

  • BSi
    BSi
    Community Member

    Hi @MikeT ,

    thanks for your reply, I could confirm that the TPM chip is enabled and used by Windows:

    I'm using Windows 10 not Windows 11. Also the CPU exclusion from Win 11 is a bit debatable as there's not easy to draw a line about CPU security. They're frequently revising their opinions about this and adding more CPUs to the supported list from time to time. For example on the original list i7-7800 wasn't listed, but now they're also there. Anyway, in case 1PW using the same model to exclude CPUs from this feature, then I think it would be much more friendlier from user's perspective if that would be communicated clearly, along with describing why some of the CPUs got excluded.

  • Tertius3
    Tertius3
    Community Member
    edited February 2022

    For me it's also not possible to enable TPM support. It's on a Intel i7-6700K. The TPM info from Windows 10 is this:

  • @BSi and @Tertius3,

    Can you email us your 1Password diagnostics report, so we can get a clear picture of why it is not seeing it.

    Here's how to generate the report on Windows

    Email the report to support+forum@1password.com and in your email, please include:

    @BSi

    I'm using Windows 10 not Windows 11. Also the CPU exclusion from Win 11 is a bit debatable as there's not easy to draw a line about CPU security.

    Windows 11 isn't required for this support but it is the first Windows OS where Microsoft require TPM 2.0 support by default and this list contain the verified Intel CPUs that has the hardware driver that compiles with the security baseline which includes TPM 2.0.

    We're not hardcoding anything in our implementation, I am only checking to see if your CPU is on the list in case MS already tested it. The fact that the CPU is not the list may mean that it may not be fully supported. Unfortunately, this does mean we can't use this list as it isn't accurate either given our testings.

    along with describing why some of the CPUs got excluded.

    We do agree, we plan to add some information to indicate why it is not enabled. There are some difficulties at the moment to make it work accurately.

  • krtickak
    krtickak
    Community Member
    edited February 2022

    @MikeT I also have this issue and I'm unable to enable this feature even though I have HW TPM 2.0 module.

    Currently running Windows 11 (Build 22000.527) with HW TPM on Ryzen 9 5900X.
    1Password version is 8.6.0-43 which is latest beta
    Diagnostic file should be in your support inbox.

  • Nhat_Nguyen
    edited February 2022

    Hello @krtickak,

    Thank you very much for sending us your diagnostics report. Let us continue our conversations there for now.

    ref: DMJ-37748-449

  • Tertius3
    Tertius3
    Community Member

    I also sent the diagnostics report, your bot answered with support ID [#RQB-74452-197]

  • Hello @Tertius3 and @krtickak! We have received your messages and will be getting back to you shortly, if we haven't already. Thank you for the follow-up!

  • [Deleted User]
    [Deleted User]
    Community Member

    I also sent an email with the diagnostics, ticket #ETZ-53718-971.

    This feature works fine with my i7-7700k PC but on my other PC with an i5-11600KF the option is greyed out and cannot be enabled.

  • Hi @Spoolin, we've received your message and will reach out to you soon. Thanks!

    ref: ETZ-53718-971

  • [Deleted User]
    [Deleted User]
    Community Member

    From my comment above, now my 7700k PC isn't working as expect, should I open a second ticket for that? If I reboot it it prompts for the normal 1password password then right after it prompts for the pin.

  • Hi @Spoolin,

    It is not expected to see Windows Hello working forever, it will reset whenever there have been changes made to Windows such as Windows updates, driver updates, etc. This is for security reasons.

    After an update, you do have to unlock first with the account password and then you'll see Windows Hello prompt up again, this is to re-initialize the TPM support with your data.

    If you haven't seen any changes now since the boot, try to reboot again and see if it works.

  • [Deleted User]
    [Deleted User]
    Community Member

    @MikeT I just did the following:

    1. Opened 1Password and unlocked, entered the master password and then entered my pin when prompt.
    2. Rebooted my PC
    3. Opened 1Password and was again prompt for master password and then pin
    4. Rebooted PC again
    5. Opened 1Password and was again prompt for master password and then pin

    If I sleep my PC and wake it 1Password just asks for the pin to unlock as expected. So it seems even without any updates or hardware changes I'm still being asked for the master password upon rebooting.

    If you want any diagnostics or further troubleshooting free feel to email me (we've been chatting recently about the software TPM on my other PC).

  • @Spoolin,

    Opened 1Password and unlocked, entered the master password and then entered my pin when prompt.

    If you wait a few minutes, lock the app; can you confirm Hello didn't show up again.

    If yes, quit the app and restart, does Hello show up first?

  • [Deleted User]
    [Deleted User]
    Community Member

    @MikeT Yes, Hello did show up first.

This discussion has been closed.