Page 1 of 1

Zero Knowledge for Enterprise?

PostPosted: Fri Nov 13, 2015 11:09 pm
by oliver956
I'm wondering if all the enterprise features are possible with a zero-knowledge encryption scheme. For example, enterprise allows you to get a report of the password strength of all employee passwords. But, if LastPass can't decrypt the passwords how can you know that? Similarly, LastPass can set up accounts and shut down accounts for employees on supported services. Isn't there a password or some kind of authentication token that LastPass then knows for these accounts?

I'd be grateful if someone could tell me exactly what the security model is for some of these features.

thanks,
Oliver

Re: Zero Knowledge for Enterprise?

PostPosted: Sat Nov 14, 2015 1:26 am
by jpenny84
LastPass is not the administrator for enterprise accounts. I would encourage you to review the documentation to see how LastPass Enterprise works.

https://enterprise.lastpass.com/

Re: Zero Knowledge for Enterprise?

PostPosted: Mon Nov 23, 2015 2:53 pm
by AyaLP
oliver956 Wrote:I'm wondering if all the enterprise features are possible with a zero-knowledge encryption scheme. For example, enterprise allows you to get a report of the password strength of all employee passwords. But, if LastPass can't decrypt the passwords how can you know that? Similarly, LastPass can set up accounts and shut down accounts for employees on supported services. Isn't there a password or some kind of authentication token that LastPass then knows for these accounts?

I'd be grateful if someone could tell me exactly what the security model is for some of these features.

thanks,
Oliver


The security challenge is ran locally - as LastPass does not have user data to run the challenge on our servers. As you said, since we do not have user's encrypted data, this is not possible.