I understand that Windows DPAPI master keys are encrypted (directly or indirectly) with the user's login password - see e.g. Does DPAPI works if a user hasn't a login password?
If I understand that correctly, it means that physical access to the computer isn't enough to get the master key.
If I enable fingerprint login (in Windows 8.1, if it matters), what changes? I can now login with either my password or my fingerprint. Does Windows then store a duplicate copy of the master key encrypted with my fingerprint data?
The obvious concern is that stealing my fingerprint and my computer is then enough to decrypt the master key.
EDIT: or, even worse, given Is it possible to reliably derive a key from a biometric fingerprint?, is there a completely unencrypted copy?