Page 1 of 1

Understanding the disabled one time password

PostPosted: Thu Apr 23, 2015 10:13 am
by tkijcl
In Prefs - > Advanced, there is an option for "save a disabled one time password local for account recovery". I always disable this options for myself as I don't want anything stored locally and offline.

Per the manual, it states:
"Save a disabled One Time Password locally for Account Recovery: By default, LastPass stores a One Time Password to aid you in the Account Recovery process, should you forget your Master Password.

It is important to note that if an attacker is able to obtain your locally stored OTP (and decrypt it while on your pc) and gain access to your email account, they can compromise your data if this option is turned on. We feel this threat is low enough that we recommend the average user not to disable this setting."

I don't want this option enabled for my employees. Compromise of an employee's device will allow for access to email and the OTP. I don't see via Enterprise how to disable that by default. Does that option exist?

Re: Understanding the disabled one time password

PostPosted: Mon May 04, 2015 12:28 pm
by sameer
Please note that:
1) The OTP is useless without it being activated. To active it, a hacker would have to gain control over the user's email.
2) The OTP can only be used on the same PC that it was generated on.
3) The OTP can only be used on the same Windows user's profile that it was generated on.

Lastly, disabling the OTP will remove the ability for users to reset their password if they have forget it.

If there is a specific attack vector in your organization to be concerned about, you can disable the above functionality by adding the following LastPass Enterprise policy:

Disallow use of account recovery
Prohibit employees utilizing the 'account recovery' process to gain access to their account without the master password. Click the 'enabled' box to enable this policy.
Caution: When this policy is enabled, account recovery will be impossible unless the 'Super Admin - Master Password Reset' policy is also enabled.

Re: Understanding the disabled one time password

PostPosted: Mon May 04, 2015 4:28 pm
by tylerkeenlastpass890
Thanks, Sameer. That helps with regards to how to disable the functionality.

With regards to your notes, you disregard the fact that I do not have, or never will have, full control over my employees' habits. I only have control over my device. Via the enterprise LP I can force 2-factor authentication, I can force automatic log-off policies, I can force complex passwords, but I cannot enforce my employees to lock their laptops/workstations immediately when they step away. I can only encourage them to. If a nefarious character walks up to an employee's unlocked laptop or workstation and sits down, they have 1) likely gained access to a device that can access the employee's email via Mail app or Outlook, 2) likely have access to the same PC where the OTP was generated [since we are a talking a work device using work provided enterprise LP], 3) likely have access to the profile the OTP was created on [since we are a talking a work device using work provided enterprise LP], and 4 now gained access - likely restricted - to our shared company passwords and vault (I hide passwords care of a LP policy for shared accounts, but that doesn't save all vectors of attack).

The OTP functionality makes sense for personal users who control their own device and future, but should not be used as an opt-in for enterprise users. I am providing my employees with LastPass access to gain controlled, shared web access for enterprise use. My company enterprise LP admin has control over resetting their their enterprise access password (right?). If they lose their password, then my company admin will reset it. IMO they don't need it locally.

I hope I don't come across as argumentative, but this is an important distinction between personal and enterprise use cases.

Re: Understanding the disabled one time password

PostPosted: Mon May 04, 2015 11:21 pm
by jpenny84
tylerkeenlastpass890 Wrote:Thanks, Sameer. That helps with regards to how to disable the functionality.

With regards to your notes, you disregard the fact that I do not have, or never will have, full control over my employees' habits. I only have control over my device. Via the enterprise LP I can force 2-factor authentication, I can force automatic log-off policies, I can force complex passwords, but I cannot enforce my employees to lock their laptops/workstations immediately when they step away.


If you run a Windows domain environment, you can create a group policy which forces a workstation to lock down after a certain amount of time.