LastPass 2FA Needs more prompts

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

LastPass 2FA Needs more prompts

Postby imthatoneguy » Tue Jun 25, 2019 9:55 pm

There are two areas of LastPass that pose huge security risks and need to be corrected.

1) "Require master Password" under advanced should prompt for 2FA as well. You can't store secure notes inside of LastPass for recovery passwords since that would mean there is a vector for an attacker to acquire your LastPass Master Password and login remotely using a 'secure machine' or a machine left unattended but logged in. Get a bad thumb drive, or have an elderly person getting a fake tech support call and as soon as they have remote access they can access everything in your vault for 30 days, or you have to enter your 2FA every time you open your vault, which would be irritating.

2) Lastpass.com/otp.php does not require 2FA! Let me get this straight, I can generate a recovery password for logging in if I lose my 2FA but in order to generate that password... I don't need to use 2FA. You might as well not even have 2FA.
imthatoneguy
 
Posts: 3
Joined: Thu Jun 09, 2016 12:58 pm

Re: LastPass 2FA Needs more prompts

Postby JerryLove » Sun Jun 30, 2019 6:41 pm

Agreed. There are are a few tremendous holes in LP's TFA [big enough that I will change products should someone else do this correctly]

1) You can only chose a single active TFA. I desperately want to be able to use either my YubiKey or an Authenticator (as not all things I work on will take one of my keys)
2) Some TFAs (specifically LastPass Authenticaor, which seems to be the only one that allows a fallback TFA) *force* you into a bad fallback TFA (SMS). I cannot even turn off SMS, much less replace it with a better system.
3) Recovery is email based. While this might be an OK default: for the security oriented this is a huge problem. Email is exactly the thing I'm most worried will be compromised (perhaps through social methods) and the fact that it's an immediate way to get my entire password vault is unacceptable.

I'm a premium member. That lasts right up until the day when someone addresses the above and you haven't.
JerryLove
 
Posts: 3
Joined: Sun Jun 30, 2019 6:14 pm

Re: LastPass 2FA Needs more prompts

Postby jpenny84 » Sun Jun 30, 2019 11:18 pm

You can already enable both methods, and Google Authenticator will be a fallback on devices that don't accept YubiKey. If email verification is a concern, set up a dedicated security email address and keep the information completely separate from LastPass.
jpenny84
 
Posts: 8851
Joined: Tue Mar 06, 2012 9:10 pm

Re: LastPass 2FA Needs more prompts

Postby JerryLove » Thu Jul 04, 2019 6:03 pm

You can already enable both methods, and Google Authenticator will be a fallback on devices that don't accept YubiKey.

I will try that again as that's not what I recall happening. Also: I'd really prefer LPA with push-support (but without it's own SMS fallback)

If email verification is a concern, set up a dedicated security email address and keep the information completely separate from LastPass.

If I have to store a password outside of LastPass that I can never loose: why wouldn't it just be the LastPass password.

What is the scenario where I'm immune to losing this special email password but not immune to losing the LastPass master password (which, if I don't lose, I will never need recovery for).

Further: Please let me know which email client can be 100% guaranteed immune to any form of compromise... because otherwise all we are doing is moving from one way to compromise LastPass (a compromise affecting LastPass itself) to two (either LastPass or email).
JerryLove
 
Posts: 3
Joined: Sun Jun 30, 2019 6:14 pm

Re: LastPass 2FA Needs more prompts

Postby jamieg » Tue Aug 13, 2019 2:56 am

+1 for removing the mandatory SMS backup when using LastPass Authenticator. I just setup LPA the the day and was shocked and annoyed at this step backwards.
jamieg
 
Posts: 3
Joined: Tue Aug 13, 2019 2:41 am

Re: LastPass 2FA Needs more prompts

Postby Hefe » Mon Aug 26, 2019 1:11 pm

jamieg Wrote:+1 for removing the mandatory SMS backup when using LastPass Authenticator. I just setup LPA the the day and was shocked and annoyed at this step backwards.

Yes this!!!

What's the point of the Authenticator if the code can be stolen via SMS?
Hefe
 
Posts: 7
Joined: Thu Jul 22, 2010 10:49 am

Re: LastPass 2FA Needs more prompts

Postby sailcat44 » Fri Sep 27, 2019 1:23 am

JerryLove Wrote:Agreed. There are are a few tremendous holes in LP's TFA [big enough that I will change products should someone else do this correctly]

1) You can only chose a single active TFA. I desperately want to be able to use either my YubiKey or an Authenticator (as not all things I work on will take one of my keys)
2) Some TFAs (specifically LastPass Authenticaor, which seems to be the only one that allows a fallback TFA) *force* you into a bad fallback TFA (SMS). I cannot even turn off SMS, much less replace it with a better system.
3) Recovery is email based. While this might be an OK default: for the security oriented this is a huge problem. Email is exactly the thing I'm most worried will be compromised (perhaps through social methods) and the fact that it's an immediate way to get my entire password vault is unacceptable.

I'm a premium member. That lasts right up until the day when someone addresses the above and you haven't.


1) entirely agree. If I've set up multiple MFA options, let me pick which one to use. The "automatic fallback on devices that don't support yubikey" is insufficient. Consider the scenario: Google Authenticator on phone and Grid printout in safe location (e.g. a physical safe). Phone is lost or broken, but I'd still able to get into the account using Grid. This scenario is already supported by various other MFA implementations from Google, Microsoft, login.gov.

2) haven't used lastpass authenticator, can't speak to it.

3) Agreed. Using the signup email as an immediate recovery is OK as a default, let premium (paying) members turn off email recovery if there are at least two MFA options chosen.
sailcat44
 
Posts: 2
Joined: Fri Sep 27, 2019 12:23 am


Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 10 guests