In reading I came across the article linked below which seems to say that Window Hello (with or without TPM enabled) can be bypassed in a number ways. So I've read to try to better understand the issue. To point, I've been curious about the warning/reluctance by the 1Password Team to enable/use TPM 2.0. I hate to be doing this but since I felt compromised by LastPass and it's failure to increase the automatically increasing the iterations used for blending/hashing my Master Password, I am a lot more cautious as I migrate to 1Password. I've been reading several of these threads about security using Windows Hello (both with and without Trusted Platform Module (TPM) 2.0 enabled. 1Password is the only app on my PC that integrates with Windows Hello if, for example, I would see an unexpected 1Password authentication, then for sure that would alert me that it may be due to a malicious app, which is a risk with risk I can live. It's just that I'm not sure exactly what the risk level is because I just don't understand how the malware will behave. Just to be certain, is it that a malicious app can trigger a Windows Hello authentication pretending to be 1Password and, if I authenticate, I will grant that malicious app access to my 1Password sites and logons? Honestly, I still don't fully understand the risk and, yes, I've ready the article.
I'm new to 1Password and I have to admit that the prompt spooked me! I admit that having to re-enter my master password after reboots is helpful in that it has forced me into remembering my long, cryptic password, but it is equally a nuisance. We've included the above prompt to have the user confirm that they know the risks and that you trust other apps on your system which generate their own Windows Hello prompts." However with Enhanced Windows Hello, a malicious process can potentially trick you into accepting a context-less prompt in order to decrypt your data. "Without the TPM option enabled, Windows Hello stays within our process so any phishing attempts by a malicious process wouldn’t work.
0 kommentar(er)
