Security with "Use the Trusted Platform Module with Windows Hello"

Hi kapsiR, thanks for these questions.

There is no way to have additional secret entropy added in, since Windows doesn’t provide a secure place to store data that only our app can fetch (akin to the macOS keychain, for example).

Assuming you haven't downloaded any malicious apps (which are the chief threat for this scenario), and you only accept TPM-backed Hello prompts (i.e. the ambiguous one where it doesn't specify the app unlocking it) when you expect there to be one, there's no substantial risk.

To add a bit more detail: NCrypt / Windows Hello wrap and control all access to the underlying Hello device. So therefore any userland software can make the same requests as another app. We provide the message you mentioned in order to notify the user that control is shifting to the TPM / Hello in a different way than it does when just using Hello with 1Password alone, and that you should trust the apps on your device if you want to enable this feature.