Dear @paulsiu ,
Have you ever gotten more info on this? Apparently, 1Password differentiates using TPM/not using TPM. While not using TPM, 1P requires re-entering password on restart. If using TPM, 1P doesn’t require entering the password, but will warn about other malicious apps.
BW recently added the option to require re-entering the password on start for biometrics, while recommending that Windows users leave this option on as it is better for security. So, presumably, BW has never stored and is not storing the key in TPM, and either 1) clear-text key or 2) key encrypted with unknown seed (since password is unavailable and PIN isn’t enabled) is stored on disk. As such, using Windows biometrics prior to v2023.4.0 weakens the local vault considerably or completely. And for v2023.4.0, requiring a master password on restart (and not PIN) is definitely a better option.