TPM For Windows Hello After Restart

Hi @Ryota,

Thanks for writing in to report this!

We are aware of some incompatibilities with certain TPM chipsets, such as Ryzen's fTPM and VMware's vTPM where the system reports back with no TPM attestation support that we need. What's really odd about these two is that when we compare it with the system tools, they are available but when we go through our APIs, they're not. Also of note, we did see available TPM support with an external TPM chip on top of Ryzen 5xxx series mobo, so it is possible to enable TPM in that setup, just not with Ryzen's fTPM (yet).

We are working with Microsoft to determine the reasoning behind it or to see if we can improve our support.

At the moment, there isn't a way around this yet that we can find (beside using the external TPM chip). Hopefully, we'll have better news in time as we continue to gather more information and work with Microsoft on this.

Hmm. This unfortunately doesn´t seem to work for me on a Ryzen 5900X with fTPM enabled.
The option remains greyed out.

1P_PeterG Thank you for the update, it works wonderful! So much more convenient now, thank you a lot!

Hi the_john19 kop48, we have an update for you!

Support for TPM has now made it to our latest Beta, 8.6.0-43. With this, you can now unlock with Windows Hello after restarting 1Password or rebooting your machine. 🥳

If you'd like to update and give it a try, we'd love to have your impressions of the new feature (and hey, this Beta's got a collapsible sidebar option too)!

Thanks again for providing the feedback we need to keep making the best app possible. We greatly appreciate it!

Thanks for your feedback! :smile:

Windows Hello basically provides this functionality, but it's important to note that you probably don't want to store raw keys in the TPM without either using a PIN, or using Windows Hello's biometric unlock of the NGC Container that underpins it.

Thanks for your reply, but that’s exactly what the TPM is for. It’s basically what the security chip on an iPhone or Android does, it provides a secure way to store the encryption keys on the device.

Understood! We are quite interested in TPM, and especially in what the combination of Windows 11 and TPM could bring.

As Dayton_ag mentioned, we're not in a position to speak to what will be included in future versions of 1Password, but I can say that all of us want to provide something that's convenient, useful to lots of people, and really, really secure. TPM is certainly on our radar, for the reasons you've mentioned. But, "always in motion is the future," to quote a famous philosopher. 😀

Dayton_ag Thanks for your reply, but that’s exactly what the TPM is for. It’s basically what the security chip on an iPhone or Android does, it provides a secure way to store the encryption keys on the device. Other password managers just check if a devices got one and if so, provides this feature. There are also plenty of well documented APIs by Microsoft to implement this in a very secure manner :)
With Windows 11 basically all devices need a TPM chip (if they don’t change their mind), so with Win 11 this feature will be used by much more people with different password managers and so it would probably become a feature they expect 1Password to provide as well.

Hey there the_john19! That's a great question!

Currently we aren't able to support Hello after reboot because there's no secure manner to store encryption keys on the device and store them securely through a reboot of the device. While I can't speak to future plans for 1Password, having a way to securely store these keys on the system persistently through a reboot is a requirement for providing this feature, and our Development team is always on the lookout for secure means to make this happen. We're all excited to see what we can build with 1Password and Windows 11. :smile:

ref: /dev/core/core/8769