You can disable YubiKey?? - You gotta be kidding

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Re: You can disable YubiKey?? - You gotta be kidding

Postby XIII » Sat Mar 16, 2013 8:44 am

jpenny84 Wrote:Not to mention the costs to support an SMS system considering LastPass is primarily a free service.

Is it?

I happily pay $1/month to keep this service running!

(check this: Consumers pay the hidden costs for the 'free' app ecosystem - The Verge)
XIII
 
Posts: 388
Joined: Fri Oct 16, 2009 6:18 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby jonat » Sat Mar 16, 2013 5:03 pm

The recommended approach is to use a separate email address for your "security email" - ideally, one you don't use for other purposes and whose password you remember (or write down somewhere secure). In a perfect world, you'll never need to use it.

SMS as an option would be nice, but it requires some infrastructure that is costly.

I have a Yubikey but stopped using it because I also use mobile devices that don't support it. I use Google Authenticator instead, and it would probably satisfy your needs.
jonat
 
Posts: 2192
Joined: Thu Dec 09, 2010 8:42 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby XIII » Sun Mar 17, 2013 5:47 am

jonat Wrote:I have a Yubikey but stopped using it because I also use mobile devices that don't support it. I use Google Authenticator instead, and it would probably satisfy your needs.

What mobile devices? And how is Google Authenticator supported on them?

(I currently use a Yubikey, but have to set my iPad and iPhone as trusted devices, as iOS does not support the Yubikey)
XIII
 
Posts: 388
Joined: Fri Oct 16, 2009 6:18 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby jonat » Sun Mar 17, 2013 11:30 am

I use an iPad and iPhone,.I have the Google Authenticator app on my iPhone. Once installed, I went to the GA tab in LP Account Settings, scanned the QR code, and the app sets itself up for LP. (I also use GA for Google and for Dropbox.)

Now when LastPass wants the second factor, it prompts me for the GA 6-digit code which is available only on my phone. I can do this both when using a web browser or the LP app on my phone. (I have Premium service, but so would you to use Yubikey.)
jonat
 
Posts: 2192
Joined: Thu Dec 09, 2010 8:42 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby XIII » Sun Mar 17, 2013 11:34 am

Ah, so the iOS Apps do request the 6 digit GA code as well? (not only the browser?)

That would add a little extra security to the iPad (less on the iPhone since the GA App is running there), so I might consider switching as well.
XIII
 
Posts: 388
Joined: Fri Oct 16, 2009 6:18 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby jonat » Sun Mar 17, 2013 1:10 pm

The LastPass IOS app requests the code, yes. You can choose whether or not to trust that device so as to not require the code in the future.
jonat
 
Posts: 2192
Joined: Thu Dec 09, 2010 8:42 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby pauls840 » Mon Jun 24, 2013 4:18 pm

What is the purpose of 2 factor on the LP app if the authenticating device is the same one running the LP app?
pauls840
 
Posts: 1
Joined: Mon Jun 24, 2013 3:04 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby jonat » Wed Jun 26, 2013 5:29 am

It prevents someone else from logging in to LP using your credentials but without your phone. For your phone, you should make it trusted.
jonat
 
Posts: 2192
Joined: Thu Dec 09, 2010 8:42 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby cbowers » Wed Jun 26, 2013 7:03 pm

adrianh77 Wrote:Two factor auth refers to the fact that two different authentication mechanisms are used to authenticate the user. Having two usernames/emails and passwords does not qualify as two factor auth..


and... let's suppose your email account has multi-factor enabled on it (aka gmail)?

Sniffed credentials are of limited use when:
  • they can't log into your email due to multi-factor.
  • they can't log into LastPass from Countries you don't reside in or TOR networks (optional LP security settings)

So it's not enough to have credentials to the LP account, and the email account then. One must have functional access to one of the trusted devices already authenticating to the email account.
You rule it out the email account as multi-factor, but having function access to a trusted device accessing the email account (something you have) is a physical factor.
Though I grant it's weakness is that it can be remotely viewed/accessed, unlike a YubiKey or Google Authenticator.

I could have sworn that way back, you were able to disable the email bypass.
I presume with mentions of issues with Yubico server availability and token loss, that support costs pushed its removal.

I would be happier if I could substitute a fallback multi-factor method rather than email (say Google Authenticator, if Yubikey was offline). Or just turn off the email fallback.
I'm comfortable with
  • a trusted PC in two locations
  • trusted mobile device
  • plus 3 yubikeys on my account (a primary, my wife's yubikey, and a backup yubikey)
cbowers
 
Posts: 23
Joined: Thu Jun 23, 2011 6:50 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby jonat » Sat Jul 06, 2013 8:36 pm

As it happened, one of my trusted computers inexplicably became untrusted when I didn't have my Yubikey with me. I went through the disable process - it sent an email to my security email account, and through that I could disable Yubikey. But Google Authenticator was still active (and I had that) so I could then log in.
jonat
 
Posts: 2192
Joined: Thu Dec 09, 2010 8:42 pm

PreviousNext

Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 27 guests