Windows SSH Agent without Windows Hello?

BorkforceOne
BorkforceOne
Community Member
edited May 2022 in SSH

Hi!

I was very excited to try the new SSH tooling built into 1Password 8 Beta for Windows. However, I do not have Windows Hello on my desktop which sounds like a requirement to use the 1Password SSH agent on Windows (see green TIP here https://developer.1password.com/docs/ssh/get-started#step-3-turn-on-the-1password-ssh-agent).

Is there any way around this? Or are there plans for an alternative here? I don't mind entering my master password every time I need to SSH as an alternative. I'd really like to use the SSH agent :)


1Password Version: 8.6.0
Extension Version: Not Provided
OS Version: Windows 11 Pro

Comments

  • Yes, it's currently a requirement, but we will be adding support for entering your account password as well in the future.

  • mrbscreen
    mrbscreen
    Community Member

    The password options is really necessary. My company, for example, does not allow the usage of "Windows Hello".

  • It was not an easy decision to make, so we can assure you that this is high on our list.

    Our of curiosity, what's the main reason your company doesn't allow Windows Hello?

  • mrbscreen
    mrbscreen
    Community Member

    The main reason is legal hostility belonging to the German GPDR (DSGVO).

  • ag_tyler
    edited February 2022

    @mrbscreen, thanks for giving us additional context there. That definitely helps us prioritize this!

  • Tertius3
    Tertius3
    Community Member

    My company (worldwide, > 100000 employees) also disabled Windows Hello for reasons unknown to me, at least for the machines located in Germany. Since regular ssh agents ask for the key password once at loading time, then never again, I would like a similar behavior in 1Password as option. Just be able to disable any prompt and just serve the key if it is requested by some ssh client.

    I understand asking for Windows hello unlock is a security measure to make me aware that a ssh key is actually requested, and to detect unexpected requests, but this is not standard behavior of ssh agents.

  • @Tertius3 Thank you for the additional feedback. We're definitely doing some research here to determine how we might approach this particular scenario going forward. We need to balance security with ease of use but we know this is important to make more seamless for you!

  • sb22hh
    sb22hh
    Community Member

    Hello, I've seen this conversation and I'm curious what is the status of this request?
    My company dosn't allow Windows Hello because of legal reasons (GPDR)
    Would be great if this request could get the highest priority.

  • @sb22hh Removing the requirement of Windows Hello is something we're actively working on. Stay tuned!

  • uncaught
    uncaught
    Community Member

    I'm wondering whether the use of windows hello is a technical requirement or just convenience for you?

    I mean, could the 1password app not prompt for the use of an SSH key itself? Without asking for a password at all, if the app is already unlocked.

  • Mentat
    Mentat
    Community Member

    @chris.db_1p
    Thanks for this good news!
    I just wanted to add that in my organization (including branches in Germany) Windows Hello is also prohibited, but access is allowed using security keys like Yubikey.
    Perhaps this could be an alternative to windows hello too?

  • tomstock
    tomstock
    Community Member

    My organization also disables Windows Hello. I would love for the ssh keys to seamlessly work on my workstation without Windows Hello

  • Hi @tomstock / @sitepodmatt / @Mentat / @uncaught:

    Thanks for your feedback on this. As my colleague Chris mentioned, we're actively working on this, but I don't have anything to share just yet. Keep an eye out.

    Jack

  • Guidome
    Guidome
    Community Member

    +1 here, not using Windows Hello as... I am on a desktop... without fingerprint reader... without IR webcam... I do have a PIN however configured with Windows Hello, but it seems this use case is not supported either!

  • Hi @Guidome:

    As long as Windows Hello is available (even with just PIN) and configured to unlock 1Password (Settings > Security), you should be able to use your Hello PIN for the 1Password SSH agent. Let me know if that isn't working for you and I can take a closer look.

    Jack

  • Guidome
    Guidome
    Community Member

    @Jack.P_1P Thanks for the information, I definitively missed that one.
    But I am still on that boat for my work machine as, just as the others, my employer does not allow any form of Windows Hello...

  • Hey @Guidome:

    Thanks for following up. As I mentioned earlier, removing the requirement for Windows Hello is something we're exploring, but I don't have anything to share just yet.

    Jack

  • solarizde
    solarizde
    Community Member

    Hey, would it be a option to also allow a more frequent reauth via password when using windows hello? Currently the minimum is 2 Weeks, why is that? I would like to use Win Hello but want to reauth via password once a day and after each reboot.

    Specially when traveling, having Windows hello enabled is a huge security risk because compared to a password it can relatively easy breached/enforced.

    Thanks

  • colinphill
    colinphill
    Community Member

    I would also be interested in being able to shorten the password interval as a stopgap until this feature is available. I'm not going to be able to memorize my password if I only use it once every two weeks, and I'd like to be able to get to the point that I can destroy the piece of paper I've written it on.

  • @BorkforceOne @mrbscreen @Tertius3 @sb22hh @uncaught @Mentat @tomstock @Guidome @solarizde @colinphill

    Thanks all for your patience and feedback. We've been working on removing the Windows Hello requirement for SSH and have a solution that we'll be launching soon! You can already try it out today if you're interested to take it for a spin. You can find more information in our Developer Slack workspace.

  • mrbscreen
    mrbscreen
    Community Member

    Hi @floris_1P,

    thank you very much for sharing this.
    I have tested it and as far as I can say, this works like a charm. :-)

    The only thing that could be improved indeed is, if 1password is already unlocked, the entering of the password should not be necessary.
    Confirmation is ok, but entering the password again, takes a lot of time.

  • jhooks
    jhooks
    Community Member

    Any news on when this will be released?

  • @jhooks It's been out for a few months already. So you should be able to turn on the SSH agent without having Windows Hello enabled.

  • jhooks
    jhooks
    Community Member

    Fair enough, I was following the learn more link in the 'Developer' tab - which still lists it as a requirement (https://developer.1password.com/docs/ssh/agent/?utm_medium=organic&utm_source=oph&utm_campaign=windows)

    In that case, any idea why the option 'Set Up SSH Agent...' is greyed out? Both options SSH Agent and CLI are greyed out for me.

  • jhooks
    jhooks
    Community Member

    What I'm seeing is

  • @jhooks Which version of 1Password are you on?

  • jhooks
    jhooks
    Community Member

    Hi @floris_1P - 8.10.3 ... seems pretty out of date, I'll get that fixed and let you know if that resolves my issue.