Why you cannot unlock 1Password for Windows with your finger

Don’t get me wrong; I *love* how I can unlock 1Password for iOS with my finger. This is a huge productivity enhancement, especially when you combine that with the 1Password extension for Safari:

1. Visit website
2. Click on the share icon; share sheet appears
3. Click on the 1Password icon (if you do not see it, then click on the ellipsis button labelled More and then switch on 1Password — bonus tip: then move 1Password to the top of the list)
4. Unlock 1Password with your finger
5. Click on the website name under Log In Using

Boom! 1Password will fill your username and your password for you. Honestly, this feature alone was worth the 1Password upgrade (speaking of that, the awesome people at AgileBits seldom charge for upgrades — most of them were free).

1Password for iOS can store your master password in the so-called Secure Enclave, and other apps do not have access to that. Also, Apple goes though great length to clear the Secure Enclave (for example: when you restart your iPhone or install an iOS update).

Customers sometimes ask me why they cannot unlock 1Password for Windows with a USB fingerprint reader. Here is the problem with fingerprint readers (and other biometrics, such as face recognition):

1. The scan always comes back with slightly different data. Then there is software that will tell us whether or not the scan matches an earlier made model. We cannot use either of them as your encryption key because the scan isn’t consistent, and the model is stored somewhere on your drive.
2. On your iPhone, 1Password can store your master password in the Secure Enclave and then unlock this with your fingerprint. On Windows, I do not believe there to be a safe equivalent (or at least not until Intel SGX is available to everyone), and that is why I’m a strong believer of not storing your master password anywhere.
3. Let’s assume we can somehow overcome problems #1 and #2 then you do not want to replace your master password with biometrics. The cops are in love with face recognition because after they arrest you, they then point the screen at your face. While biometrics are great as a 2nd factor, they should never be your only factor. You should always combine biometrics with “something you know”, which brings us back to your master password.

Update: the cops are now trying to recreate a finger in a 3D printing lab. This tells us again how your fingerprint isn’t protected by the Fifth Amendment. Your master password, on the other hand, is. Do not replace passwords with biometrics. Use 2-factor authentication where possible.