When using "Use the Trusted Platform Module with Windows Hello", 1Password prompts with a security warning. - How can another app gain access to 1Password with this setting? - Is there a way to retrieve the applications which have access to Windows Hello? Thanks 1Password Version: 8.7.0 Extension Version: 2.2.3 OS Version: Windows 10 21H2

Hello kapsiR, I'm sorry for the delay in response. I'm happy to help with your questions. We have an article on our support page that discusses Windows Hello security in 1Password for Windows. This same article goes on to discuss more information if you are using the Trusted Platform Module with Windows Hello. Is there a way to retrieve the applications which have access to Windows Hello? I'm unsure if it possible to retrieve a list of applications specific to your device that have access Windows Hello. If this is an area of concern, it would be worth reaching out to Microsoft support for help or to see if this is possible. I hope this helps!

Thanks for the response, my concerns are especially about that sentence: A malicious application could prompt you to unlock 1Password to access your information. So why is this possible? Do you have resources about that?

Hello again kapsiR, thanks for getting back to us. With regard to this warning when you enable TPM support, 1Password loses control over what can prompt you to access the key 1Password creates on the TPM. As noted in the article I provided, "1Password delegates the responsibility of authentication to Windows Hello." Without the TPM option enabled, Windows Hello stays within our process so any phishing attempts by a malicious process wouldn’t work. However with Enhanced Windows Hello, a malicious process can potentially trick you into accepting a context-less prompt in order to decrypt your data. We've included the above prompt to have the user confirm that they know the risks and that you trust other apps on your system which generate their own Windows Hello prompts. The key itself is safe in the actual TPM, its just a concern when logged into Windows. As far as I understand, we'll have some additional resources about this in the future, but it’s not ready just yet.

Thanks for the detailed explanation - it's much clearer now. So the secret is stored on the TPM - anyone with a Windows Hello prompt authenticates against the whole TPM? And I assume there is no way to have an additional entropy when prompting via Windows Hello to make this a little harder for attackers? 😄

Hi kapsiR, thanks for these questions. There is no way to have additional secret entropy added in, since Windows doesn’t provide a secure place to store data that only our app can fetch (akin to the macOS keychain, for example). Assuming you haven't downloaded any malicious apps (which are the chief threat for this scenario), and you only accept TPM-backed Hello prompts (i.e. the ambiguous one where it doesn't specify the app unlocking it) when you expect there to be one, there's no substantial risk. To add a bit more detail: NCrypt / Windows Hello wrap and control all access to the underlying Hello device. So therefore any userland software can make the same requests as another app. We provide the message you mentioned in order to notify the user that control is shifting to the TPM / Hello in a different way than it does when just using Hello with 1Password alone, and that you should trust the apps on your device if you want to enable this feature.

Security with "Use the Trusted Platform Module with Windows Hello"

27 Replies

ag_mike_d
1Password Team
3 years ago
You're most welcome, Nusaram - Happy New Year!
Nusaram
Frequent Contributor
3 years ago
Hi ag_mike_d,

Yes, it does! That was extremely helpful info.

Thank you!
ag_mike_d
1Password Team
3 years ago
Hello Nusaram,

Thanks for your message.

1Password is the only app on my PC that integrates with Windows Hello; if, for example, I would see an unexpected 1Password authentication, then for sure that would alert me that it may be due to a malicious app, which is a risk with risk I can live.

I can't speak specifically to how malware may trigger a Windows Hello prompt. However, in this case, when using Enhanced Windows Hello, by opening 1Password - if it continues to be the only trusted software on your device using Windows Hello - you can be sure this prompt is coming from 1Password.

I hope this helps to relieve some concern, but please let us know if you have any other questions.
Nusaram
Frequent Contributor
3 years ago
Hi ag_mike_d,

"Without the TPM option enabled, Windows Hello stays within our process so any phishing attempts by a malicious process wouldn’t work. However with Enhanced Windows Hello, a malicious process can potentially trick you into accepting a context-less prompt in order to decrypt your data. We've included the above prompt to have the user confirm that they know the risks and that you trust other apps on your system which generate their own Windows Hello prompts."

I'm new to 1Password and I have to admit that the prompt spooked me! I admit that having to re-enter my master password after reboots is helpful in that it has forced me into remembering my long, cryptic password, but it is equally a nuisance.

Honestly, I still don't fully understand the risk and, yes, I've ready the article. Just to be certain, is it that a malicious app can trigger a Windows Hello authentication pretending to be 1Password and, if I authenticate, I will grant that malicious app access to my 1Password sites and logons?

It's just that I'm not sure exactly what the risk level is because I just don't understand how the malware will behave. 1Password is the only app on my PC that integrates with Windows Hello; if, for example, I would see an unexpected 1Password authentication, then for sure that would alert me that it may be due to a malicious app, which is a risk with risk I can live.

Thanks!
ag_mike_d
1Password Team
3 years ago
Thanks, ForgottenPasswords! 👍
ForgottenPasswords
New Contributor
3 years ago
Thank you ag_mike_d and Former Member for your responses.

I shall be using Windows Hello then. It makes using 1Password much more convenient.

Have a great week, and keep 1Password rocking.
ag_mike_d
1Password Team
3 years ago
Thanks for the follow up, Former Member. ForgottenPasswords, please let us know if you have any additional questions.
Former Member
3 years ago
If your computer doesn't have a TPM, Windows emulates some of its functionality in software. With a hardware TPM, things like the secret to unlock 1Password survives a reboot, so you can unlock 1Password after a reboot with just your Hello pin. With the software emulation, such stuff is kept in protected CPU memory only, so you need to enter your 1Password master password once to unlock after a reboot. Additional unlocks are with PIN, since the secret to unlock is kept in memory - until next reboot. What survives a reboot even with the software emulation is the ability to login to Windows itself.
ag_mike_d
1Password Team
3 years ago
Hello ForgottenPasswords,

Thanks for your reaching out with your question about Windows Hello and 1Password. I've included a link to a related articles about Windows Hello security in 1Password for Windows.

If you'd like to enable Windows Hello, you can follow this guide: Use Windows Hello to unlock 1Password on your Windows PC

We appreciate your kind words about 1Password! 💙
ForgottenPasswords
New Contributor
3 years ago
Hello!

I recently installed Windows 11 by using a method to bypass requirements for a supported CPU and a TPM module.

After installing 1Password on the new installation, I discovered that using Windows Hello PIN would be a really convenient method to unlock 1Password.

However, I have concerns about the security of this, since my computer doesn't have a TPM module at all (not even v1).

Am I still safe to use Windows Hello with 1Password? How is the security ensured in this case?

Thanks, I love 1Password very much.

Forum Discussion

Security with "Use the Trusted Platform Module with Windows Hello"

27 Replies

Recent discussions

Bring Back the Standalone Password Generator in Android – Not Just Hidden in Login Creation

What type of backup do you use?

"Type in window" for Mac

auto-type in macos?

Ongoing Autofill Issues on Android