Page 2 of 4

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Sat Mar 16, 2013 8:44 am
by XIII
jpenny84 Wrote:Not to mention the costs to support an SMS system considering LastPass is primarily a free service.

Is it?

I happily pay $1/month to keep this service running!

(check this: Consumers pay the hidden costs for the 'free' app ecosystem - The Verge)

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Sat Mar 16, 2013 5:03 pm
by jonat
The recommended approach is to use a separate email address for your "security email" - ideally, one you don't use for other purposes and whose password you remember (or write down somewhere secure). In a perfect world, you'll never need to use it.

SMS as an option would be nice, but it requires some infrastructure that is costly.

I have a Yubikey but stopped using it because I also use mobile devices that don't support it. I use Google Authenticator instead, and it would probably satisfy your needs.

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Sun Mar 17, 2013 5:47 am
by XIII
jonat Wrote:I have a Yubikey but stopped using it because I also use mobile devices that don't support it. I use Google Authenticator instead, and it would probably satisfy your needs.

What mobile devices? And how is Google Authenticator supported on them?

(I currently use a Yubikey, but have to set my iPad and iPhone as trusted devices, as iOS does not support the Yubikey)

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Sun Mar 17, 2013 11:30 am
by jonat
I use an iPad and iPhone,.I have the Google Authenticator app on my iPhone. Once installed, I went to the GA tab in LP Account Settings, scanned the QR code, and the app sets itself up for LP. (I also use GA for Google and for Dropbox.)

Now when LastPass wants the second factor, it prompts me for the GA 6-digit code which is available only on my phone. I can do this both when using a web browser or the LP app on my phone. (I have Premium service, but so would you to use Yubikey.)

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Sun Mar 17, 2013 11:34 am
by XIII
Ah, so the iOS Apps do request the 6 digit GA code as well? (not only the browser?)

That would add a little extra security to the iPad (less on the iPhone since the GA App is running there), so I might consider switching as well.

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Sun Mar 17, 2013 1:10 pm
by jonat
The LastPass IOS app requests the code, yes. You can choose whether or not to trust that device so as to not require the code in the future.

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Mon Jun 24, 2013 4:18 pm
by pauls840
What is the purpose of 2 factor on the LP app if the authenticating device is the same one running the LP app?

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Wed Jun 26, 2013 5:29 am
by jonat
It prevents someone else from logging in to LP using your credentials but without your phone. For your phone, you should make it trusted.

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Wed Jun 26, 2013 7:03 pm
by cbowers
adrianh77 Wrote:Two factor auth refers to the fact that two different authentication mechanisms are used to authenticate the user. Having two usernames/emails and passwords does not qualify as two factor auth..


and... let's suppose your email account has multi-factor enabled on it (aka gmail)?

Sniffed credentials are of limited use when:
  • they can't log into your email due to multi-factor.
  • they can't log into LastPass from Countries you don't reside in or TOR networks (optional LP security settings)

So it's not enough to have credentials to the LP account, and the email account then. One must have functional access to one of the trusted devices already authenticating to the email account.
You rule it out the email account as multi-factor, but having function access to a trusted device accessing the email account (something you have) is a physical factor.
Though I grant it's weakness is that it can be remotely viewed/accessed, unlike a YubiKey or Google Authenticator.

I could have sworn that way back, you were able to disable the email bypass.
I presume with mentions of issues with Yubico server availability and token loss, that support costs pushed its removal.

I would be happier if I could substitute a fallback multi-factor method rather than email (say Google Authenticator, if Yubikey was offline). Or just turn off the email fallback.
I'm comfortable with
  • a trusted PC in two locations
  • trusted mobile device
  • plus 3 yubikeys on my account (a primary, my wife's yubikey, and a backup yubikey)

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Sat Jul 06, 2013 8:36 pm
by jonat
As it happened, one of my trusted computers inexplicably became untrusted when I didn't have my Yubikey with me. I went through the disable process - it sent an email to my security email account, and through that I could disable Yubikey. But Google Authenticator was still active (and I had that) so I could then log in.