Security and privacy

About Windows Hello security in 1Password for Windows

Learn how to protect your data when you use Windows Hello on your PC.

When you use Windows Hello on your PC, you can unlock 1Password with your face, fingerprint, or companion device. Because you can unlock 1Password so easily, you can use a longer and more secure 1Password account password than you might otherwise have chosen.

Your biometrics are not stored in 1Password

1Password never scans or stores your fingerprint or face. Windows Hello only tells 1Password if your biometrics or companion device were recognized or not.

Learn more about Windows Hello security and privacy.  

Your 1Password account password still protects your data

Using Windows Hello in 1Password doesn’t replace your account password or undermine the security of 1Password. Your data is encrypted with your account password and Secret Key, and that remains true even with Windows Hello turned on.

1Password requires your account password if the amount of time in Settings > Security > Require password has elapsed. If you choose Never, your password will only be required when the device is unable to use biometrics, so you should make sure your password is written down somewhere in case you don’t remember it.

Tip

After you change your account password, or if you have one that’s difficult remember, choose to require the password more often to help you remember it.

Your 1Password account password is not stored on your PC

When you use Windows Hello, your account password is never stored on disk. Instead, 1Password generates a unique, encrypted secret for Windows Hello to access in your computer’s memory. Your account password is also required after you quit 1Password or restart your PC.

If you use the Trusted Platform Module with Windows Hello:

  • 1Password delegates the responsibility of authentication to Windows Hello.
  • The encrypted secret is stored in the Trusted Platform Module instead of your computer’s memory.
  • Windows Hello can immediately unlock 1Password accounts that use a password and Secret Key after you quit the app or restart your PC.

    Learn more about how Windows Hello works with 1Password accounts that unlock with SSO.

If authentication fails, the encrypted secret is reset, and your account password must be used to unlock 1Password.

Protect yourself when using Windows Hello

Follow these tips to stay safe with Windows Hello:

  • Use a strong, alphanumeric PIN when you set up Windows Hello. It’s always possible to use your Windows Hello PIN to unlock 1Password, so make sure your PIN is strong and memorable. Consider using the 1Password password generator to generate it.

  • If you’re concerned someone may attempt to use your face or fingerprint without your consent, turn off Windows Hello. Retrieving your account password from your mind while you sleep is still in the realm of science fiction. However, your face and fingerprint can be used without your consent whether you’re sleeping, unconscious, or otherwise. If you anticipate such a situation, turn off Windows Hello.

  • If you use other applications that ask you to authorize with Windows Hello, make sure you trust them. Using the Trusted Platform Module with Windows Hello delegates the responsibility of authentication solely to Windows Hello. A malicious application could prompt you to unlock 1Password to access your information.

Learn more

Published: