Windows 11; Windows Hello; Require password (or PIN) on app start; Key encryption

Hey there! I have some questions about a recent update to Windows Hello security on the desktop app.
I noticed that there’s a new option to “Require password (or PIN) on app start”, which wasn’t there before, and that BW suggests that “If you’re using Windows, Bitwarden recommends using the Require password (or PIN) on first login after start in order to maximize security.”

  1. Before this addition, if I turn on Biometrics unlock without turning on the PIN unlock, on app lock or exit, I assume the encryption key to the Bitwarden vault is encrypted by a cryptographic key or function provided by Windows Hello before being written to disk. Isn’t this encryption stronger than if I were to use a simple numeric PIN to lock the vault (and not requiring entering the password on restart)?
  2. Is the encryption key/function provided by Windows Hello actually weaker than a typical recommended master password (12 characters, let’s say approximately 78 bits in entropy, with the default iteration stretching it by another 20 bit, making it a 98 bit key)?

BW’s documentation doesn’t go into this much detail about why, and this doesn’t seem to be an issue on Android (i.e., BW considers Biometrics encrypted key to be safe without urging the user to reenter the password on restart). Does anybody know why this is considered a security enhancement? Or are there weaknesses on Windows hello that don’t exist on Android?


OK. I think I found the answer. There are TPM 2.0 vulnerabilities affecting computers probably being shipped since 2016. Maybe for some, TPM key storage can no longer be trusted. VU#782720 - TCG TPM2.0 implementations vulnerable to memory corruption .

See also this thread:

I am not sure if this answers your question.

This will probably take a while to digest, but I now I have a place to start, all without downloading the code yet.

Thank you.