Skip to main content
Dunecat
November 4, 2024
Question

Windows Hello prompt comes up every time I unlock the vault using a password

  • November 4, 2024
  • 9 replies
  • 471 views

This started happening about 2 weeks ago and has been happening consistently since. It's trivial to reproduce on multiple Windows PCs running Win11 24H2.

Steps to reproduce:

  1. Turn on "Unlock using Windows Hello" and "Use the TPM with Windows Hello"
  2. Turn off "Show Windows Hello prompt automatically"
  3. Set require password to "every 30 days"
  4. Quit 1P.
  5. Relaunch 1P & unlock with password. The vault unlocks, then pops up with the Windows Hello prompt.
  6. Complete the Windows Hello prompt.
  7. Quit 1P.
  8. Relaunch 1P and unlock with password.

*Result: *
The vault unlocks but then it pops up the Windows Hello prompt again.

Expectation:
The vault unlocks and does not pop up the Windows Hello prompt.

The only workaround I've found for fixing this is to disable the "Unlock using Windows Hello" feature entirely. This is a real drag of a workaround, and again, it didn't use to do this.


1Password Version: 8.10.50
Extension Version: Not Provided
OS Version: Windows 11 24H2
Browser: Not Provided

9 replies

1P_Dave
1Password Employee
November 8, 2024

Hello @Dunecat! 👋

I'm sorry that you're being prompted by Windows Hello after unlocking 1Password using your account password. It sounds like you're running into a known issue that our development team is aware of. So that I can confirm this, could you post a screenshot of the Windows Hello prompt that you see after unlocking 1Password using your account password?

I look forward to hearing from you. 🙂

-Dave

ref: dev/core/core#33895

April 24, 2025

do you have a fix for this yet? it's driving me nuts

Dunecat
DunecatAuthor
November 9, 2024

1P_Dave
1Password Employee
November 11, 2024

@Dunecat

Thank you for the screenshot, I confirm that you're running into the known issue and I've added your report to the work item open for the issue. Hopefully this can be fixed in a future update to 1Password soon.

-Dave

ref: dev/core/core#33895

Dunecat
DunecatAuthor
November 11, 2024

Thank you for the update, @1P_Dave ! I'm looking forward to the fix because I want to use password to unlock the vault, except for when I'm using SSH keys, in which case I want to use Hello. Unlocking with the password shouldn't trigger any change to the Windows Hello state, so it's frustrating in its current state, and I'm very happy to hear it will be fixed.

1P_Dave
1Password Employee
November 11, 2024

@Dunecat

Thanks again for reporting the issue, when it's resolved you'll see it noted in our release notes: 1Password Releases

I want to use password to unlock the vault, except for when I'm using SSH keys, in which case I want to use Hello.

Out of curiosity, why don't you want to unlock 1Password using Windows Hello aside from when you use a SSH key?

-Dave

Dunecat
DunecatAuthor
December 2, 2024

Hi again, and happy holidays.

Having to unlock again to use an SSH key at all, via any method, is an unnecessary hurdle and just makes life harder. Especially when a specific app is already approved to use them. E.g. I use VS Code and SSH keys to push to GitLab and yet 1Password treats it as a totally suspicious activity every single time. Bizarre. At least when I'm opening VS Code I'm sitting at a computer, whereas when 1Password is auto-launching I might be getting a cup of coffee and not sitting in front of the computer.

1P_Dave
1Password Employee
December 4, 2024

@Dunecat

Thank you for the reply. You can adjust your authorization options for SSH by using these steps: Get started with 1Password for SSH Developer - Adjust your authorization options

We have an explanation of the authorization model for the SSH agent here: About 1Password SSH Agent security Developer

-Dave

Dunecat
DunecatAuthor
December 4, 2024

Thanks Dave, the links are helpful. They help illustrate the overlooked use case:

The authorization model for the 1Password SSH agent is built on the idea that you should be able to control which processes are allowed to use which private keys.

Alternatively, you should be able to control which applications are allowed to use which private keys, so that you don't have to re-auth every time you re-use the same application, as long as the vault is unlocked. If the vault is unlocked, the fact that I authorized the application to use the key Monday should be well enough for the application to re-use that same key Friday without reprompting me, even if I've rebooted the computer in between.

Here's the relevant part of the developer settings page:

The "Remember key approval" dropdown is missing a "forever" option.

Dunecat
DunecatAuthor
January 14, 2025

Any chance this is being worked on, yet? There have been a few releases since Support confirmed the issue and it's still broken. I'm reminded every single time that I unlock the vault.