1Password8/Windows and Windows Hello on first signin?

Hey krtickak / @baldersz / @BSi:

Glad to hear we were able to get you up and running, and thanks for sharing the steps!

Jack

I think I know what caused this issue and that is that I enabled Windows Hello after I bought fingerprint reader for my desktop computer and TPM was disabled at time of registering windows hello. So windows stored windows hello private keys in software. Than I enabled fTPM in preparation for Windows 11 which I later changed to dTPM because of https://www.amd.com/en/support/kb/faq/pa-410 in AMDs implementation of fTPM.

krtickak and @BSi glad it helped!

Edit: Can confirm that 1Password is using the TPM by running:

certutil -csp "Microsoft Passport Key Storage Provider" -key -v | Select-String -Pattern "Name:", "NgcKeyImplType"

Output will show an RSA signed key 1Password-Enclave-Key stored in the TPM (via NgcKeyImplType: 1 (0x1))

@baldersz very well done, cleaning up the Windows Hello setup resolved the issue for me too. Thanks!

@baldersz awesome this worked like a charm. Now it would be awesome if 1Password directly said that those private keys are not stored in TPM and that Windows Hello needs to be reset so it can store private keys in TPM. 1P_PeterG @ag_ana MikeT Nhat_Nguyen

hey krtickak thanks for sharing this here, I was able to get it resolved and I updated my reddit post with the solution. The tl;dr is that I had initially set up Windows Hello without my TPM enabled, and that meant the private key was stored in software key storage within Windows.

After enabling the TPM, I then had to delete this private key using certutil , log-off and re-enable Windows Hello. After doing this, I confirmed this the private key was now stored in the TPM as indicated by NgcKeyImplType: 1 (0x1). I was then able to enable this option in 1Password and confirm it worked correctly.

Hope this helps anyone else experiencing this behaviour!

I found another person having this issue on reddit so I'm linking here their post if support want's to reach out to them for more diagnostic data. https://www.reddit.com/r/1Password/comments/tfu103/use_the_trusted_platform_module_with_windows/

MikeT Yes, Hello did show up first.

@Spoolin,

Opened 1Password and unlocked, entered the master password and then entered my pin when prompt.

If you wait a few minutes, lock the app; can you confirm Hello didn't show up again.

If yes, quit the app and restart, does Hello show up first?

MikeT I just did the following:

1. Opened 1Password and unlocked, entered the master password and then entered my pin when prompt.
2. Rebooted my PC
3. Opened 1Password and was again prompt for master password and then pin
4. Rebooted PC again
5. Opened 1Password and was again prompt for master password and then pin

If I sleep my PC and wake it 1Password just asks for the pin to unlock as expected. So it seems even without any updates or hardware changes I'm still being asked for the master password upon rebooting.

If you want any diagnostics or further troubleshooting free feel to email me (we've been chatting recently about the software TPM on my other PC).