Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Why does 1Password launch Windows Hello AFTER unlocking?
Shouldn't this be before unlocking? What is the point of using Windows Hello?
1P_Gem
Moderator
ModeratorHi ChrisPro,
This happens when 1Password needs to set the unlock secret up so that Windows Hello can use it for future unlocks.
If you're using Windows Hello without the "Use your device's Trusted Platform Module to unlock" option, this is expected the first time you unlock after restarting 1Password or your device.
If you're using Windows Hello with the TPM option enabled, this is expected either the first time you unlock after enabling it, or if something has invalidated the TPM state, for example after some major Windows updates, BIOS changes, or dual booting.
In these situations, you'll first unlock with your account password, then see a follow-up Windows Hello prompt. Completing that prompt allows 1Password to re-establish the unlock secret so that future unlocks can use Windows Hello on its own again.
To help me understand what's happening in your case:
- Are you using the option "Use your device's Trusted Platform Module to unlock" in the 1Password desktop app under Settings > Security?
- When the follow up Windows Hello prompt appears, do you complete it, or do you always cancel it as shown in your screen recording?
If the prompt is cancelled, 1Password can't finish setting up Windows Hello again, so on the next unlock you'll be prompted for your password and then Windows Hello again.
I look forward to hearing from you!
- Gem
Yes TPM mode is enabled.
So this is because the TPM state changed, alrighty.
Still, why does it come up after entering my password, it's somewhat confusing right?
Shouldn't Windows Hello come first, and then show an error message clearly outlining that the TPM state has changed, then prompt for the master password after that?Just seems like an oddly designed user experience.
- 1P_Gem
Hi ChrisPro, thanks for confirming! It does sound like you're running into the expected behaviour after a TPM state change.
If Windows Hello were shown first in this situation, it wouldn't be able to unlock 1Password.
When the TPM state changes, the stored unlock secret becomes invalid. Windows Hello relies on that secret to unlock 1Password, so once it is no longer usable, Hello cannot unlock the app.
This means that 1Password has to fall back to your account password. After you unlock with your password and decrypt your data, 1Password can then call up a Hello prompt in order to set the unlock secret back up in the TPM.
I hope that makes sense, but let me know if you have any further questions!
