Security with "Use the Trusted Platform Module with Windows Hello"

kapsiR
kapsiR
Community Member

When using "Use the Trusted Platform Module with Windows Hello", 1Password prompts with a security warning.
- How can another app gain access to 1Password with this setting?
- Is there a way to retrieve the applications which have access to Windows Hello?

Thanks


1Password Version: 8.7.0
Extension Version: 2.2.3
OS Version: Windows 10 21H2

Comments

  • Hello @kapsiR, I'm sorry for the delay in response. I'm happy to help with your questions.

    We have an article on our support page that discusses Windows Hello security in 1Password for Windows. This same article goes on to discuss more information if you are using the Trusted Platform Module with Windows Hello.

    Is there a way to retrieve the applications which have access to Windows Hello?

    I'm unsure if it possible to retrieve a list of applications specific to your device that have access Windows Hello. If this is an area of concern, it would be worth reaching out to Microsoft support for help or to see if this is possible.

    I hope this helps!

  • kapsiR
    kapsiR
    Community Member

    Thanks for the response, my concerns are especially about that sentence:

    A malicious application could prompt you to unlock 1Password to access your information.

    So why is this possible? Do you have resources about that?

  • Hello again @kapsiR, thanks for getting back to us.

    With regard to this warning when you enable TPM support, 1Password loses control over what can prompt you to access the key 1Password creates on the TPM. As noted in the article I provided, "1Password delegates the responsibility of authentication to Windows Hello."

    Without the TPM option enabled, Windows Hello stays within our process so any phishing attempts by a malicious process wouldn’t work. However with Enhanced Windows Hello, a malicious process can potentially trick you into accepting a context-less prompt in order to decrypt your data. We've included the above prompt to have the user confirm that they know the risks and that you trust other apps on your system which generate their own Windows Hello prompts. The key itself is safe in the actual TPM, its just a concern when logged into Windows.

    As far as I understand, we'll have some additional resources about this in the future, but it’s not ready just yet.

  • kapsiR
    kapsiR
    Community Member

    Thanks for the detailed explanation - it's much clearer now.

    So the secret is stored on the TPM - anyone with a Windows Hello prompt authenticates against the whole TPM?
    And I assume there is no way to have an additional entropy when prompting via Windows Hello to make this a little harder for attackers? 😄

  • Hi @kapsiR, thanks for these questions.

    There is no way to have additional secret entropy added in, since Windows doesn’t provide a secure place to store data that only our app can fetch (akin to the macOS keychain, for example).

    Assuming you haven't downloaded any malicious apps (which are the chief threat for this scenario), and you only accept TPM-backed Hello prompts (i.e. the ambiguous one where it doesn't specify the app unlocking it) when you expect there to be one, there's no substantial risk.

    To add a bit more detail: NCrypt / Windows Hello wrap and control all access to the underlying Hello device. So therefore any userland software can make the same requests as another app. We provide the message you mentioned in order to notify the user that control is shifting to the TPM / Hello in a different way than it does when just using Hello with 1Password alone, and that you should trust the apps on your device if you want to enable this feature.

  • kapsiR
    kapsiR
    Community Member

    Thanks very much! I appreciate the detailed explanation!

  • Hi @kapsiR:

    On behalf of Peter, you're very welcome!

    Jack

  • ForgottenPasswords
    ForgottenPasswords
    Community Member

    Hello!

    I recently installed Windows 11 by using a method to bypass requirements for a supported CPU and a TPM module.

    After installing 1Password on the new installation, I discovered that using Windows Hello PIN would be a really convenient method to unlock 1Password.

    However, I have concerns about the security of this, since my computer doesn't have a TPM module at all (not even v1).

    Am I still safe to use Windows Hello with 1Password? How is the security ensured in this case?

    Thanks, I love 1Password very much.

  • Hello @ForgottenPasswords,

    Thanks for your reaching out with your question about Windows Hello and 1Password. I've included a link to a related articles about Windows Hello security in 1Password for Windows.

    If you'd like to enable Windows Hello, you can follow this guide: Use Windows Hello to unlock 1Password on your Windows PC

    We appreciate your kind words about 1Password! 💙

  • Tertius3
    Tertius3
    Community Member

    If your computer doesn't have a TPM, Windows emulates some of its functionality in software. With a hardware TPM, things like the secret to unlock 1Password survives a reboot, so you can unlock 1Password after a reboot with just your Hello pin. With the software emulation, such stuff is kept in protected CPU memory only, so you need to enter your 1Password master password once to unlock after a reboot. Additional unlocks are with PIN, since the secret to unlock is kept in memory - until next reboot. What survives a reboot even with the software emulation is the ability to login to Windows itself.

  • Thanks for the follow up, @Tertius3. @ForgottenPasswords, please let us know if you have any additional questions.

  • ForgottenPasswords
    ForgottenPasswords
    Community Member

    Thank you @ag_mike_d and @Tertius3 for your responses.

    I shall be using Windows Hello then. It makes using 1Password much more convenient.

    Have a great week, and keep 1Password rocking.

  • Nusaram
    Nusaram
    Community Member

    Hi @ag_mike_d,

    "Without the TPM option enabled, Windows Hello stays within our process so any phishing attempts by a malicious process wouldn’t work. However with Enhanced Windows Hello, a malicious process can potentially trick you into accepting a context-less prompt in order to decrypt your data. We've included the above prompt to have the user confirm that they know the risks and that you trust other apps on your system which generate their own Windows Hello prompts."

    I'm new to 1Password and I have to admit that the prompt spooked me! I admit that having to re-enter my master password after reboots is helpful in that it has forced me into remembering my long, cryptic password, but it is equally a nuisance.

    Honestly, I still don't fully understand the risk and, yes, I've ready the article. Just to be certain, is it that a malicious app can trigger a Windows Hello authentication pretending to be 1Password and, if I authenticate, I will grant that malicious app access to my 1Password sites and logons?

    It's just that I'm not sure exactly what the risk level is because I just don't understand how the malware will behave. 1Password is the only app on my PC that integrates with Windows Hello; if, for example, I would see an unexpected 1Password authentication, then for sure that would alert me that it may be due to a malicious app, which is a risk with risk I can live.

    Thanks!

  • Hello @Nusaram,

    Thanks for your message.

    1Password is the only app on my PC that integrates with Windows Hello; if, for example, I would see an unexpected 1Password authentication, then for sure that would alert me that it may be due to a malicious app, which is a risk with risk I can live.

    I can't speak specifically to how malware may trigger a Windows Hello prompt. However, in this case, when using Enhanced Windows Hello, by opening 1Password - if it continues to be the only trusted software on your device using Windows Hello - you can be sure this prompt is coming from 1Password.

    I hope this helps to relieve some concern, but please let us know if you have any other questions.

  • Nusaram
    Nusaram
    Community Member

    Hi @ag_mike_d,

    Yes, it does! That was extremely helpful info.

    Thank you!

  • You're most welcome, @Nusaram - Happy New Year!

  • Nusaram
    Nusaram
    Community Member
    edited December 2022

    Thank you, @ag_mike_d, and Happy 2023 to you, too!

    So, I enabled the TPM option but it is not surviving the Windows reboot. :( It did once, but that's it; apart from that "rare" instance, I'm still being asked to enter my master password before using Windows Hello. The settings remain do remain enabled, however.

    What's interesting, though, is that after I unlock with my master password, the Windows Hello dialog window to unlock appears, which is weird.

    I'm on Windows 11 22H2 and am using a Surface Laptop Studio which, of course, has TPM 2.0.

    I found this thread but I do not have fast startup enabled, nor were there any BIOS updates, etc.

    Well, after continuing to search this forum, I found other posts about the same issue so, clearly, this is a known and ongoing issue.

    What could be causing this?

  • Mycenius
    Mycenius
    Community Member

    @Nusaram I had a similar issue recently where I thought it wasn't working - are you getting a smiley facing showing next to the login field? If so click on it and this will manually trigger the Windows Hello process...

  • Hello again @Nusaram,

    I'm sorry to hear of the troubles with Windows Hello not surviving a restart.

    Can you please try the below list of steps after a reboot of your device:
    1. Open 1Password and enter your account password.
    1. When the Windows Hello prompt appears, enter your PIN, fingerprint, etc.
    1. Completely exit 1Password by right-clicking the icon in the system tray and selecting Quit.
    1. Try relaunching 1Password 8 for Windows.
    1. If that works, try once again but this time reboot your PC and open 1Password.

    If you still see issues after this reboot, could you try re-enrolling your Windows Hello data by removing and then re-adding all of your Windows Hello options, such as face, fingerprint and PIN? If the option to remove the PIN is greyed out, you may need to disable the option to only allow Windows Hello sign-in for Microsoft accounts on this device first.

    Let us know how this goes. Thanks!

  • Nusaram
    Nusaram
    Community Member

    I had a similar issue recently where I thought it wasn't working - are you getting a smiley facing showing next to the login field? If so click on it and this will manually trigger the Windows Hello process...

    Thanks, @Mycenius, but that's not what is happening; the right arrow appears next to the password field. However, before enabling TPM, I was encountering the issue and the smiley face appeared at times and I, too, clicked on it and, yes, it did launch the Windows Hello authentication.

    Hi @ag_mike_d,

    Before trying any of your suggestions, I just continued to test and, much to my surprise, I rebooted 5 times and the Windows Hello authentication worked! Then I ran into issues on the 6th reboot. I tried your two suggestions, but all to no avail, unfortunately.

  • Happy new year, @Nusaram!

    Sorry for the continued troubles. I'd like to ask you to create a diagnostics report from your Windows PC:

    Sending Diagnostics Reports (Windows)

    Attach the diagnostics to an email message addressed to support+forum@1password.com.

    With your email please include:

    You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here. Thanks!

  • digitalatlas
    digitalatlas
    Community Member

    I'm having the same trouble getting Windows Hello to work, even once (nevermind after reboot). I've set up a PIN and successfully logged into Windows and Microsoft Word, also followed the other articles and message threads. Still doesn't show up.

    Though I should note that I'm on Windows 10 Pro and the volume is an MBR partition style, so I have not enabled secure boot. Is this important for 1Password to work with Windows Hello?

    Thanks.

  • Hello @Digitalatlas,

    Thanks for your message here. I've reached out to the team for some help with your troubles with Windows Hello. Can you confirm that the Windows Hello prompt is still not appearing after following the below steps?
    1. Open and unlock 1Password with your account password.
    2. Manually lock 1Password (Ctrl + Shift + L).
    3. Open and unlock 1Password.

    If the Windows Hello prompt appears, this is expected behaviour and you are required to unlock 1Password with your account password after rebooting your device or the 1Password process was completely terminated.

    Does your device have a hardware Trusted Platform Module (TPM) 2.0 and can you confirm it is not disabled? If so, Windows Hello can persist through reboots by following this guide: Manage your settings - Windows Hello

    Please let us know how these steps go. We'll be here to help with any additional questions you have.

  • TimLyden97701
    TimLyden97701
    Community Member

    Hi,

    I've been reading several of these threads about security using Windows Hello (both with and without Trusted Platform Module (TPM) 2.0 enabled. I hate to be doing this but since I felt compromised by LastPass and it's failure to increase the automatically increasing the iterations used for blending/hashing my Master Password, I am a lot more cautious as I migrate to 1Password.

    To point, I've been curious about the warning/reluctance by the 1Password Team to enable/use TPM 2.0. So I've read to try to better understand the issue. In reading I came across the article linked below which seems to say that Window Hello (with or without TPM enabled) can be bypassed in a number ways. The article outlines the scenario.

    I mention this for guidance. I hope to get more clarification from the 1Password Technical Support Team. Please keep in mind that I am not a very technical person and only venturing into the deep end of the pool to protect myself and my account as I start using 1Password. I hope you can, in layman's terms, provide a thorough explanation regarding the issue in the article. Thank you.

    Here's the link: https://www.hindawi.com/journals/scn/2021/6245306/

    P.S. I found it helpful to download a pdf of the article. Thanks again.

  • kapsiR
    kapsiR
    Community Member

    This paper seems to focus on non-TPM devices...

    Currently, many Windows devices, especially desktops and servers, run without missioning the TPM.

    In this paper, we evaluate the security of Windows Hello on a hardware-unsupported device by examining how difficult it is to break the device dependency.

  • Hello @TimLyden97701,

    Thanks for message and letting us know about your concerns with using Windows Hello with 1Password. I wanted to point you to our guide which talks, About Windows Hello security in 1Password for Windows, as well as some tips to Protect yourself when using Windows Hello.

    Use Windows Hello to unlock 1Password on your Windows PC

    Let us know if we can be of further assistance!

This discussion has been closed.