If we use GAuthenticator, isn't Lastpass not really last?

What do you love about LastPass? What do you hate about it? Tell us why you like it, why you don't, and why.

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

If we use GAuthenticator, isn't Lastpass not really last?

Postby Gaius » Wed Jan 18, 2012 1:26 am

If you store all your email passwords on Lastpass according to the motto "the last password you'll need to remember" and use Google Authenticator for 2-factor authentication, I don't think its really the last pass you need to remember.

Say you lost your phone. In that case, you need to disable Google Authenticator since the phone you registered with your Lastpass account is gone forever. In that case, Lastpass sends an email verification to your "security email" to disable Google Authenticator, which means you in fact have to remember 2 passwords, your Lastpass and your security email's password.

Am I missing something here? Does use of a 1-time password that you can print out beforehand and keep in a safe place bypass having to use Google Authenticator, thus keeping Lastpass truly last? If so, that would be great.
Gaius
 
Posts: 6
Joined: Wed Jan 18, 2012 12:33 am

Re: If we use GAuthenticator, isn't Lastpass not really last

Postby Lars » Wed Jan 18, 2012 1:41 am

Well, Google Authenticator was implemented into LastPass just recently, so in that sense you're correct. You are however still able to use LastPass and only have to remember one password.
Lars
 
Posts: 2580
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: If we use GAuthenticator, isn't Lastpass not really last

Postby Gaius » Wed Jan 18, 2012 2:18 am

Lars Wrote:Well, Google Authenticator was implemented into LastPass just recently, so in that sense you're correct. You are however still able to use LastPass and only have to remember one password.

Absolutely, but I think in order to keep users in the know and to keep them from having to make a separate email account, it would be advisable to force users to create at least 1 OTP after enabling Google Authenticator and have that OTP be all they need to get back into their account (bypassing Google Authenticator without using a security email verification) so they can truly not need to remember more than one password ever even if they lose their phone.

Know what I mean? I'd rather use the OTP I was forced to create when enabling Google Authenticator rather than create an additional email account not protected by Lastpass that I also have to remember.
Gaius
 
Posts: 6
Joined: Wed Jan 18, 2012 12:33 am

Re: If we use GAuthenticator, isn't Lastpass not really last

Postby Lars » Wed Jan 18, 2012 2:40 am

The security-email serves other functions than Google Authenticator disabling..
Lars
 
Posts: 2580
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: If we use GAuthenticator, isn't Lastpass not really last

Postby Gaius » Wed Jan 18, 2012 2:58 am

Lars Wrote:The security-email serves other functions than Google Authenticator disabling..

I'm not saying it should be taken away for those that would prefer it. I'm saying OTP could be used as another way to get around using Google Authenticator if you lost your phone.
Gaius
 
Posts: 6
Joined: Wed Jan 18, 2012 12:33 am

Re: If we use GAuthenticator, isn't Lastpass not really last

Postby sudadeze » Sat Jan 28, 2012 8:08 am

You can use "security email" provider with OTP support to get same results :)
sudadeze
 
Posts: 2
Joined: Sat Jan 28, 2012 7:40 am

Re: If we use GAuthenticator, isn't Lastpass not really last

Postby Gaius » Sat Jan 28, 2012 9:02 am

sudadeze Wrote:well, you can use "security email" provider with OTP support to get same results :)

But don't you have to remember the password of that security email account seperately rather than have it remembered by Lastpass?

I'm just trying to find out why I have to remember 2 passwords if I'm using Lastpass and I lost my phone.
Gaius
 
Posts: 6
Joined: Wed Jan 18, 2012 12:33 am

Re: If we use GAuthenticator, isn't Lastpass not really last

Postby sudadeze » Sat Jan 28, 2012 9:33 am

By default you only need to remember your MP and that's it!
Only if you choose to enable multifactor auth. it starts to become tricky. YOU CAN'T use same OTPs to bypass multifactor & to access your vault. That makes multifactor useless. What you suggesting are separate OTPs system for Vault and for reset multifactor.
sudadeze
 
Posts: 2
Joined: Sat Jan 28, 2012 7:40 am

Re: If we use GAuthenticator, isn't Lastpass not really last

Postby Gaius » Sat Jan 28, 2012 10:59 am

sudadeze Wrote:By default you only need to remember your MP and that's it!
Only if you choose to enable multifactor auth. it starts to become tricky. YOU CAN'T use same OTPs to bypass multifactor & to access your vault. That makes multifactor useless. What you suggesting are separate OTPs system for Vault and for reset multifactor.

Yes! That would be a great feature. We'd have 2 kinds of OTPs. We'd call the multifactor ones MOTPs.

This way, if we lose our phone, we'd just reach into our safe or wherever we keep OTP's and use an MOTP in place of the Google Auth code and then reset Google Auth for our replacement device.
Gaius
 
Posts: 6
Joined: Wed Jan 18, 2012 12:33 am


Return to Feedback

Who is online

Users browsing this forum: No registered users and 20 guests