Master-Passwort bei jedem Neustart des PCs und Notebooks

Options
Chris63
Chris63
Community Member
edited May 2023 in Windows

Ich habe mich durch die entsprechenden Support-Community Artikel gelesen und auch beispielsweise den Post von pherti74 «Wieso funktioniert Windows Hello nicht ohne vorherige Anmeldung mit dem Passwort?» vom Januar 2022 und einige weitere gefunden aber die lösen mein Problem nicht.

Meine Frau ist krank und es ist für sie nicht mehr möglich, sich komplexe Passwörter zu merken. Deshalb wollte ich einen Passwort-Manager installieren, bei dem sie sich über biometrischen Login (Fingerabdruck) auf dem PC und dem Notebook unter Windows 11 anmelden kann. Ich habe mich für die Family Version von 1Password entschieden und kämpfe nun seit gestern mit der Installation. Leider ist es nicht möglich, nur den biometrischen Login unter Windows 11 zu verwenden und komplett auf die Passwortabfrage zu verzichten. Aber zumindest konnte ich die Passwortabfrage auf 30 Tage einstellen und dachte, dass das machbar ist, wenn ich für sie einmal pro Monat das Master-Passwort eingebe. Nur funktioniert das leider nicht. Nach jedem Neustart des PCs wird das Master-Passwort verlangt, welches über 20 Zeichen lang und kryptisch ist, so dass nicht mal ich mir das merken kann. Was auch OK wäre, wenn ich es nur 1 Mal pro Monat eingeben müsste. Aber so ist das Tool für uns absolut unbrauchbar. Interessanterweise funktioniert es auf den beiden Android Mobile Phones nur mit dem Fingerabdruck aber das nutzt nichts, weil der Passwort-Manager zu 98% auf den Windows-Devices benötigt wird.

Ich bin noch in der Testphase und meine Frage ist nun, ob es eine Lösung für mein Problem gibt denn alles andere von 1Password ist echt toll aber falls es keine Lösung gibt, muss ich leider ein anderes Produkt suchen.

1Password Version: 8.10.6
Extension Version: Not Provided
OS Version: Windows 11
Browser:_ Edge

Comments

  • 1P_Gem
    1P_Gem
    Options

    Hi @Chris63! This sounds like the expected behaviour with just the Windows Hello unlock setting enabled. You'll still need to use your account password under certain circumstances, such as the first time you unlock 1Password after a restart of the app or your device. This is because 1Password doesn't have a secure place to persistently store the decryption key for Windows Hello to access, and so it will abandon this key during a restart to protect it from unauthorized access.

    This behaviour can be improved if your device is TPM 2.0-enabled, as the TPM provides a secure place for 1Password to store the decryption key. If you'd like Windows Hello unlock to persist through restarts, you can follow the steps below:

    1. Press the Windows key on your keyboard, and click 1Password near the top.
    2. Unlock with your usual credentials if prompted.
    3. In the top left, next to the word 1Password, click ⋮ > Settings > Security.
    4. Check the option to Use the Trusted Platform Module with Windows Hello.

    I hope this helps, but if you have any further questions, let me know 😄

  • Chris63
    Chris63
    Community Member
    Options

    Hi 1P_Gem, thanks a lot for the feedback. As I wrote, since yesterday I tried about 20 hours to solve the problem, so I also had already tried to activate the TPM checkbox yesterday, but unfortunately it wasn't successful. Before I had checked if my computer is TPM capable and yes, it is, TPM Manufactur INTC 403.1.0.0, version 2.0. So the prerequisites would be given, but 1Password still requires the master password after the reboot, even if TPM is activated.

    Is there really no feature that solves the problem? For example, isn't it possible to log in to 1Password on the PC / Notebook using the 2-factor authentication via mobile phone (where biometric login works without entering the master password)? Unfortunately I can't find an option like this, only the 2-factor authentication for everything else except the 1Password log in..

  • Chris63
    Chris63
    Community Member
    Options

    Hello 1P_Gem, here an update:

    After my feedback above 15 minutes ago, I thought by refering to your answer to try one more time with TPM. I did everything exactly like yesterday and it didn't work. After restarting and logging in with Windows Hello, the prompt for the master password was displayed again in 1Password. Yesterday I stopped at this point because I was fed up to enter the over 20 character lenght password again and again. When I tried again some minutes ago, in opposite to yesterday, I entered the master password. Then the Windows Hello input field was displayed again and I entered this again too. After the next restart, it worked. So it's a success. Thank you very much.

    Now I have to ask you one more question: How security-relevant the warning "When this setting is on, a malicious app could gain access to your 1Password information." is? I've read a lot about it in the forum, but I'm not the IT nerd with the huge understanding. Therefore - is there a simple statement as to whether it represents a really questionable risk or whether the risk is rather small?

    Thanks again.

  • 1P_Gem
    1P_Gem
    edited May 2023
    Options

    Hi @Chris63, thanks for getting back to me! I'm so glad to hear that all is working well now.

    It sounds as if you had previously stopped during the set up process - for the first unlock after enabling the TPM option, 1Password will ask for your account password, followed by a Windows Hello prompt to finish setting up the unlock key with your TPM. After this, it should start to work as expected and allow Hello unlock to persist through restarts.

    Now I have to ask you one more question: How security-relevant the warning "When this setting is on, a malicious app could gain access to your 1Password information." is?

    When you enable TPM support, 1Password no longer has control over what can prompt you to access the key we create on the TPM, or when. With regular Hello unlock, everything stays within 1Password's processes so any prompt phishing by a malicious process wouldn't work. However, with TPM integration enabled, all a malicious process would need to do in order to decrypt your data is trick you into accepting a context-less Hello prompt.

    In general, the level of risk depends on how careful you are with your device. The best way to stay safe and avoid this occurring would be to make sure you trust the apps you use, and keep malicious applications off your system by following the points below:

    • Keep your computer and software updated.
    • Exercise caution when clicking links or downloading anything.
    • Be careful about opening email attachments or images.
    • Don't trust pop-up windows that ask you to download software.
    • Use security software such as an anti-malware application.

    I hope this helps, but if you have any further questions, let me know! 😄

  • Chris63
    Chris63
    Community Member
    Options

    Hi 1P_Gem

    Thanks a lot for your help and the time you spent to answer my questions. I really appreciate. As there is no other option to use the password manager for my wife, we have to accept the risk and to be carefully using the computer until there is a more secure solution.

    Kind Regards,
    Chris

  • 1P_Gem
    1P_Gem
    Options

    Hi @Chris63, you're very welcome! I'm pleased to hear that the information was helpful. If you have any further questions, let me know. 😄

This discussion has been closed.