MFA bypass bug

Have questions about LastPass, or having problems using it? Ask for help here!

Moderators: admin, Israel, anatoly_LP, chantieLP, robyn, JoeSiegrist

MFA bypass bug

Postby emily18 » Thu Jul 18, 2019 2:07 pm

I encountered a situation where I can access an account without MFA. I am using chrome on linux.

To reproduce:
1. On an account with MFA enabled, have a master password that is out of compliance with your organization's password age policy.
2. Enter your username/password on the lastpass login, this causes a warning telling the user that they should change their master password.
3. Click 'no' to dismiss the warming.

Expected Result:
1. The user should be prompted to enter their second form of authentication before they can access their account.

Actual Result:
1. After dismissing the warning about changing their master password, the user goes directly into their account without needing MFA - perfect for lazy users who don't wan't to change their passwords or bother with MFA :D
emily18
 
Posts: 1
Joined: Thu Jul 18, 2019 1:53 pm

Re: MFA bypass bug

Postby Bex » Thu Jul 18, 2019 4:03 pm

Hi emily18,

Looks like this falls under the, " Why am I not being prompted for Multi-factor Authentication?" FAQ which can be read here: https://support.logmeininc.com/lastpass ... n-lp010146

Can't override our MFA unofficially that easily since our customers security is our top priority! :)

-Bex
Bex
Site Admin
 
Posts: 104
Joined: Tue May 07, 2019 3:17 pm


Return to General Support & Troubleshooting

Who is online

Users browsing this forum: No registered users and 71 guests