Multifactor authentication: need selector/priority list

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, JoeSiegrist, robyn

Multifactor authentication: need selector/priority list

Postby tvierling » Wed Dec 28, 2016 10:07 pm

If more than one multifactor authentication mechanism is enabled, it's not clear to me which one is going to be asked of the user. It's possible that one form of multifactor may be available in one place (e.g., a Yubikey) and another must be used elsewhere (such as OATH, Grid, or Duo).

Where multiple methods are available, there should be a selector at login time to choose which method to use. As an extension to this, it would be nice if a preferred method could be selected (or have them sorted by priority, since some methods can be excluded for some platforms, such as Yubikey on mobile).
tvierling
 
Posts: 4
Joined: Fri May 20, 2011 9:38 am

Select from Available Multi-Factor Options

Postby ridespecialized » Thu Mar 16, 2017 8:22 pm

I have my MFA setup with both Yubikey and Google Authenticator (with GRID as a paper backup). My thought there is that if my Yubikey is lost, I will probably still have my phone. If my Yubikey and phone are lost, something very bad has happened.

But, my concern here is that to disable Yubikey and get to the Google Authenticator option, I need access to my email box. I guess I understand this, but I'm not trying to disable 2FA totally, just get to the next (equally valid) option.

Can we get an option to simply select from "any available" 2FA options that are enabled for the account? I suppose you could argue that this gives a broader attack surface, but since it would be valid for me to only have Google Authenticator (or SMS, for that matter) as my 2FA options, allowing me to say "any of the above" should be fine (especially if that's a user-configurable feature).

Edit: the crux of the problem here is that if I lose access to my Yubikey I must *know* my email password to bypass the 2FA. But, I don't know my email password from memory because it is high entropy and stored in Lastpass.

tl;dr enable an option to use "any available" Multifactor Authentication. Available = An option you have configured for your account.
ridespecialized
 
Posts: 4
Joined: Thu Mar 16, 2017 8:13 pm

Can I use Yubikey on desktop and some other 2FA on mobiile?

Postby v75boof165 » Sun Mar 26, 2017 3:45 am

My Android phone doesn't have NFC.
v75boof165
 
Posts: 1
Joined: Sun Mar 26, 2017 3:36 am

Re: Can I use Yubikey on desktop and some other 2FA on mobii

Postby Gisela » Mon Mar 27, 2017 5:09 am

Please check this FAQ to know more on how 2 types of 2FA would work hand in hand: https://lastpass.com/support.php?cmd=showfaq&id=5686.
Gisela
 
Posts: 69
Joined: Wed Jun 08, 2016 3:16 am

Re: Select from Available Multi-Factor Options

Postby tflo » Tue Mar 28, 2017 6:50 am

+1

This would be really helpful.
tflo
 
Posts: 37
Joined: Thu Mar 17, 2016 10:46 pm

requiring 2 FA for new tablets

Postby klou941 » Fri Apr 14, 2017 9:26 am

Hello,

When 2FA is on (yubikey), it is a requirement when the user logins from PC. However when a new tablet is registered, an email is sent and then the new device can login. Yubikeys cannot work on most mobile devices (mobile phones, tablets) however is there a way to put in place an extra authentication factor for new mobile devices?
klou941
 
Posts: 1
Joined: Sat Mar 04, 2017 5:35 pm

Re: Select from Available Multi-Factor Options

Postby ihatepickingusernames » Sun Apr 30, 2017 2:45 pm

+1

I don't want recovering from a loss of my yubikey to require access to my email (I keep my email password in lastpass!). I'd prefer to be able to choose another of my enabled two factor methods.
ihatepickingusernames
 
Posts: 1
Joined: Sun Apr 30, 2017 2:32 pm

Re: Multifactor authentication: need selector/priority list

Postby Peter » Wed May 03, 2017 6:25 am

AGREED.

The activation procedure refers to a "primary" and "default" authentication method. This would/should imply a user choice to resort to secondary or non-default options at login. In my experience there is no "primary" or "default" but simply a single upfront choice of authentication method that then applies across appliances - with the obvious but unwanted exception of devices marked as trusted. This would seem undesirable and inconsistent with the terminology used and therefore presumably unintended.

The rather annoying consequence is that I can't use the Yubikey on my PC because selecting that option forces other devices to this same authentication method. Changing the "default" to the Lastpass authenticator app disables Yubikey login on the PC.

This really needs a fix.
Peter
 
Posts: 1
Joined: Mon Jan 25, 2010 4:40 pm

Re: Multifactor authentication: need selector/priority list

Postby AnonBlotto » Fri May 05, 2017 4:04 pm

Had no problems with Yubikey on other apps and websites.
It's a shame LP did not take user security seriously but I recall suggesting Yubikey to LP nearly 10 years ago...
Basically I would trust Yubikey over LogMeIn whoops I meant Lastpass.
AnonBlotto
 
Posts: 11
Joined: Mon Oct 24, 2011 8:37 am

Re: Select from Available Multi-Factor Options

Postby whoeversaidthis » Fri May 05, 2017 4:51 pm

+1
I too find the email recovery option insecure and would prefer alternate mfa devices
whoeversaidthis
 
Posts: 4
Joined: Fri May 05, 2017 4:49 pm

Next

Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 9 guests