Skip to main content
February 16, 2022
Question

Windows SSH Agent without Windows Hello?

  • February 16, 2022
  • 28 replies
  • 1770 views

Hi!

I was very excited to try the new SSH tooling built into 1Password 8 Beta for Windows. However, I do not have Windows Hello on my desktop which sounds like a requirement to use the 1Password SSH agent on Windows (see green TIP here https://developer.1password.com/docs/ssh/get-started#step-3-turn-on-the-1password-ssh-agent).

Is there any way around this? Or are there plans for an alternative here? I don't mind entering my master password every time I need to SSH as an alternative. I'd really like to use the SSH agent :)


1Password Version: 8.6.0
Extension Version: Not Provided
OS Version: Windows 11 Pro

28 replies

November 21, 2022

@"chris.db_1p"
Thanks for this good news!
I just wanted to add that in my organization (including branches in Germany) Windows Hello is also prohibited, but access is allowed using security keys like Yubikey.
Perhaps this could be an alternative to windows hello too?

November 22, 2022

It's perplexing to me that you guys feel the need to rank the security requirements of the ssh-agent different (and a whole lot stronger) than a whole vault of passwords, credit card numbers, PPI, API keys and so on.. This goes beyond opinionated to mandated with "New processes always require approval"

Please re-think some of this governance and give us the option to opt-out (perhaps via a flag or advanced menu) of some these ridiculous requirements (none of this non-sense in keepass-xc ssh-agent) - lets get rid of the "new processes require approval always" mandating first..

I know it's hard as you reach for the thumb button on your shiny macbook airs at the start of your daily tmux session to consider other people have different workflows and security considerations and security precautions already in place.

tomstock
November 25, 2022

My organization also disables Windows Hello. I would love for the ssh keys to seamlessly work on my workstation without Windows Hello

Jack_P_1P
1Password Employee
November 29, 2022

Hi @tomstock / @sitepodmatt / @Mentat / @uncaught:

Thanks for your feedback on this. As my colleague Chris mentioned, we're actively working on this, but I don't have anything to share just yet. Keep an eye out.

Jack

December 2, 2022

+1 here, not using Windows Hello as... I am on a desktop... without fingerprint reader... without IR webcam... I do have a PIN however configured with Windows Hello, but it seems this use case is not supported either!

Jack_P_1P
1Password Employee
December 2, 2022

Hi @Guidome:

As long as Windows Hello is available (even with just PIN) and configured to unlock 1Password (Settings > Security), you should be able to use your Hello PIN for the 1Password SSH agent. Let me know if that isn't working for you and I can take a closer look.

Jack

December 5, 2022

@Jack_P_1P Thanks for the information, I definitively missed that one.
But I am still on that boat for my work machine as, just as the others, my employer does not allow any form of Windows Hello...

Jack_P_1P
1Password Employee
December 5, 2022

Hey @Guidome:

Thanks for following up. As I mentioned earlier, removing the requirement for Windows Hello is something we're exploring, but I don't have anything to share just yet.

Jack

solarizde
December 11, 2022

Hey, would it be a option to also allow a more frequent reauth via password when using windows hello? Currently the minimum is 2 Weeks, why is that? I would like to use Win Hello but want to reauth via password once a day and after each reboot.

Specially when traveling, having Windows hello enabled is a huge security risk because compared to a password it can relatively easy breached/enforced.

Thanks

February 21, 2023

I would also be interested in being able to shorten the password interval as a stopgap until this feature is available. I'm not going to be able to memorize my password if I only use it once every two weeks, and I'd like to be able to get to the point that I can destroy the piece of paper I've written it on.