Forum Discussion

Former Member's avatar
Former Member
3 years ago

Is it possible to setup Windows Hello with a fingerprint enabled security key but without a PIN?

Hi, I see in the knowledge base this section about Windows Hello and the PIN:

https://support.1password.com/windows-hello-security/

Use a strong, alphanumeric PIN when you set up Windows Hello. It’s always possible to use your Windows Hello PIN to unlock 1Password, so make sure your PIN is strong and memorable. Consider using the 1Password password generator to generate it.

Does anyone have an idea why?

I mean... The whole point of a fingerprint enabled security key is to go passwordless. I'd like it to be mandatory: if one cannot provide the fingerprint, I don't want them to unlock 1password. But Hello allows someone to avoid the fingerprint and just type the PIN! It's like making the whole bio security optional... I don't understand why. And because the PIN is mandatory, I cannot setup the security key without one.

So in order to follow the recommandation here, which is very logical given the process (even if I don't understand at all the reason behind it...).

I don't want someone to access too easily my 1password vault with only a PIN. In fact, I don't want a PIN to remember at all. Because if I setup one (and I'm forced to), I'll have to remember it and provide it sometimes when asked by Hello. I don't want that. It becomes yet another impractical password, nullifying the very idea of using a fingerprint and forgeting about stupid random complicated passwords generated for me :'(


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

  • ag_mike_d's avatar
    ag_mike_d
    Icon for 1Password Team rank1Password Team

    Thanks for your comment here, @crkinard. That's correct, 1Password does hand off the duties of unlocking to the Windows Hello/Windows Security.

  • Former Member's avatar
    Former Member

    Windows Hello asking for and requiring a PIN is Windows demanding it. Not 1Password.

  • 1P_PeterG's avatar
    1P_PeterG
    Icon for Community Manager rankCommunity Manager

    Hi @N_Z_L, thank you for this question!

    Per Goldfinger's post, this has to do with how Windows Hello is designed. Microsoft's docs indicate:

    Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.

    If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello.

    From our position at 1Password, what we can provide is an "integration" with Hello - in other words, we can provide a way to interface with Hello and use it to extend the capabilities of 1Password, but we can't fundamentally alter how Hello works (or perhaps more specifically, what it requires to work).

    Ultimately, if you're uncomfortable with using a PIN to unlock 1Password on that device, I'd recommend sticking to the classic combination of account password and Secret Key.

    For what it's worth, we are always thinking about how to make sign-in to 1Password more easy while keeping things secure, so we appreciate your feedback on this and the points you've raised here. Thanks for taking the time to do so.

  • Goldfinger's avatar
    Goldfinger
    Occasional Contributor

    The purpose of the PIN, AFAIK is the fallback option, but also I do recall that the pin is used to encrypt the biometric data.
    The PIN is tied to the hardware too, so it is not a password per sé

    Getting to passwordless is going to be a journey.
    It's relevant that hello was created before TPM 2.0 was required for a Windows install. As it is in win 11.

    Did you find anything different?