LastPass Forums

[imthatoneguy]

There are two areas of LastPass that pose huge security risks and need to be corrected.

1) "Require master Password" under advanced should prompt for 2FA as well. You can't store secure notes inside of LastPass for recovery passwords since that would mean there is a vector for an attacker to acquire your LastPass Master Password and login remotely using a 'secure machine' or a machine left unattended but logged in. Get a bad thumb drive, or have an elderly person getting a fake tech support call and as soon as they have remote access they can access everything in your vault for 30 days, or you have to enter your 2FA every time you open your vault, which would be irritating.

2) Lastpass.com/otp.php does not require 2FA! Let me get this straight, I can generate a recovery password for logging in if I lose my 2FA but in order to generate that password... I don't need to use 2FA. You might as well not even have 2FA.

[JerryLove]

Agreed. There are are a few tremendous holes in LP's TFA [big enough that I will change products should someone else do this correctly]

1) You can only chose a single active TFA. I desperately want to be able to use either my YubiKey or an Authenticator (as not all things I work on will take one of my keys)
2) Some TFAs (specifically LastPass Authenticaor, which seems to be the only one that allows a fallback TFA) *force* you into a bad fallback TFA (SMS). I cannot even turn off SMS, much less replace it with a better system.
3) Recovery is email based. While this might be an OK default: for the security oriented this is a huge problem. Email is exactly the thing I'm most worried will be compromised (perhaps through social methods) and the fact that it's an immediate way to get my entire password vault is unacceptable.

I'm a premium member. That lasts right up until the day when someone addresses the above and you haven't.

[jpenny84]

You can already enable both methods, and Google Authenticator will be a fallback on devices that don't accept YubiKey. If email verification is a concern, set up a dedicated security email address and keep the information completely separate from LastPass.

[JerryLove]

You can already enable both methods, and Google Authenticator will be a fallback on devices that don't accept YubiKey.

I will try that again as that's not what I recall happening. Also: I'd really prefer LPA with push-support (but without it's own SMS fallback)

If email verification is a concern, set up a dedicated security email address and keep the information completely separate from LastPass.

If I have to store a password outside of LastPass that I can never loose: why wouldn't it just be the LastPass password.

What is the scenario where I'm immune to losing this special email password but not immune to losing the LastPass master password (which, if I don't lose, I will never need recovery for).

Further: Please let me know which email client can be 100% guaranteed immune to any form of compromise... because otherwise all we are doing is moving from one way to compromise LastPass (a compromise affecting LastPass itself) to two (either LastPass or email).

[jamieg]

+1 for removing the mandatory SMS backup when using LastPass Authenticator. I just setup LPA the the day and was shocked and annoyed at this step backwards.

[Hefe]

+1 for removing the mandatory SMS backup when using LastPass Authenticator. I just setup LPA the the day and was shocked and annoyed at this step backwards.

Yes this!!!

What's the point of the Authenticator if the code can be stolen via SMS?

[sailcat44]

Agreed. There are are a few tremendous holes in LP's TFA [big enough that I will change products should someone else do this correctly]

1) You can only chose a single active TFA. I desperately want to be able to use either my YubiKey or an Authenticator (as not all things I work on will take one of my keys)
2) Some TFAs (specifically LastPass Authenticaor, which seems to be the only one that allows a fallback TFA) *force* you into a bad fallback TFA (SMS). I cannot even turn off SMS, much less replace it with a better system.
3) Recovery is email based. While this might be an OK default: for the security oriented this is a huge problem. Email is exactly the thing I'm most worried will be compromised (perhaps through social methods) and the fact that it's an immediate way to get my entire password vault is unacceptable.

I'm a premium member. That lasts right up until the day when someone addresses the above and you haven't.

1) entirely agree. If I've set up multiple MFA options, let me pick which one to use. The "automatic fallback on devices that don't support yubikey" is insufficient. Consider the scenario: Google Authenticator on phone and Grid printout in safe location (e.g. a physical safe). Phone is lost or broken, but I'd still able to get into the account using Grid. This scenario is already supported by various other MFA implementations from Google, Microsoft, login.gov.

2) haven't used lastpass authenticator, can't speak to it.

3) Agreed. Using the signup email as an immediate recovery is OK as a default, let premium (paying) members turn off email recovery if there are at least two MFA options chosen.