TPM, KDEWallet, GPG, ssh, etc., etc.
I often boot multiple OSes, and enjoy the cross-platform nature of 1Password.
HOWEVER ... the more different OSes I boot into, the more I see differences between 1P "behavior" and interaction with the lower-level platforms such as TPM and SecureBoot really make me go "hmmm...". So let me outline a few of these quirks and see if the 1Password Dev team can chime in on any of them:
- TPM--the link to enable TPM "integration" of course isn't there, probably will never be there in Linux (I mostly run Debian/Ubuntu and derivatives such as MX Linux an Pop!OS). What is strange to me is that it is greyed out under Windows 11 on one laptop (Dell Latitude), and available to be checked on a different one (Lenovo IdeaPad). I actually own a third laptop where Secure Boot is disabled, and if I check the box for TPM, I can use Hello *fairly* reliably on that machine. So, seems like Secure Boot, TPM, and whatever keystore the Linux kernel loads by default have interfaces that don't involve me (the slightly geeky, nah, totally geeky) end user.
- Dual boot of Windows and Linux is a dance involving the Firmware and complicated by Secure Boot and Windows' preemptive ownership of the boot environment overall. I don't expect I'm part of a large population of 1Password users that have rooted Android devices among their 1P test farm, but I'd like the feeling there is some representation in your test lab.
- Two-factor enabling 1P "online awareness"--fairly sketchy why that pops up at certain times, and I go right into 1P in online mode at others? I have never made that drop-down offering to authenticate with a "Security Key" work, is that disabled for a reason? Future functionality ain't fun to understand, if that's what it is. I believe this is related to (Linux) --
- KDE Wallet (Plasma "keychain") or GPG keyring (Blowfish-protected older style) often pop up before/during 1Password initialization. There seems to be a "race condition" where 1Password invokes the keyring popup, waits about 10 seconds, and then just loads, but because the keystore isn't fully unlocked, prompts for 2-factor and starts in offline mode.
- Toggling back and forth from a security key to 1P to provide passkeys to websites where I have registered (enrolled?) both is full of gotchas. Google is better than Microsoft in this respect, but firewalls and SecureDNS seem to impact how 1P handles the differences. Microsoft is trying to coax (force?) users over to their Authenticator but they lead the pack in terms of a good handful of sites 1P publishes on https://passkeys.directory/ that don't exactly work as expected, or the links to enable the passkey goes stale.
There, had my little rant, hoping I get some love from the dev team. They should know I find this product a very remarkable island in a world of so-so-software!
--Alex
