You can disable YubiKey?? - You gotta be kidding

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Re: You can disable YubiKey?? - You gotta be kidding

Postby rlarian » Sun Jul 07, 2013 11:48 am

i agree that you should need a YubiKey password to disable YubiKey. You can have 5 YoubiKeys associated to your account, so lose one and just use one of your other to disable. You can also create a printed copy of OTPs to use in just such an event.

No reason not to require YubiKey to disable it as a default - and the ability to disable this function if you don't want to use this secure feature - but on by default.
rlarian
 
Posts: 3
Joined: Wed Aug 10, 2011 12:48 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby jarlpforum » Wed Aug 14, 2013 12:57 pm

pauls840 Wrote:What is the purpose of 2 factor on the LP app if the authenticating device is the same one running the LP app?

I'm also curious about this setup, having LP and the two-factor on the same device. If you don't have a good locking password on the device and you lose it, you've essentially lost half your two-factor security by giving away your LP and authenticator. What's more, it's the stronger half, the part that changes every 60 seconds. All that's needed to complete the picture is figuring out your static lastpass password. Hopefully, that's something different from your device locking password.
jarlpforum
 
Posts: 2
Joined: Wed Aug 14, 2013 12:46 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby jonat » Wed Aug 14, 2013 2:04 pm

You may as well tell LP to trust the device you have Authenticator on. But someone would need both your password AND your device to log in to LP on some other device, hence the added security. Without 2FA, only your password is needed and you'd not be the wiser.
jonat
 
Posts: 2209
Joined: Thu Dec 09, 2010 8:42 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby jarlpforum » Wed Aug 14, 2013 2:37 pm

jonat Wrote:You may as well tell LP to trust the device you have Authenticator on. But someone would need both your password AND your device to log in to LP on some other device, hence the added security. Without 2FA, only your password is needed and you'd not be the wiser.


But isn't the Settings->Mobile Devices->Restrict check box independent of 2FA? It seems I could lock out any mobile device not on my list of approved devices, even without 2FA in effect.

On the other hand, for "Trusted Computers", it does seem that 2FA is the only way to add more security than just password login. What's to stop someone hopping on any old computer to try to log into my lastpass account if they get my password?

I'd love to have 2FA on my IOS, but it just seems a little less secure having both the authenticator and LP on the same device than if the authenticator were a different device. It feels like taping one key to a safety deposit box that takes two keys.
jarlpforum
 
Posts: 2
Joined: Wed Aug 14, 2013 12:46 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby jonat » Wed Aug 14, 2013 3:45 pm

You could use the Restrict checkbox, but that is not absolutely secure. As you say, 2FA is the way to add more security than a password. For my devices, I have my iOS devices trusted as I'm less concerned about someone stealing the device AND knowing my password. As I said, having authenticator on the same device renders 2FA pointless on that device. But it does block someone who learns your password from logging in on their own computer/device.
jonat
 
Posts: 2209
Joined: Thu Dec 09, 2010 8:42 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby federico444 » Sat Nov 29, 2014 2:10 pm

I also think that the email rescue metodh is quite insecure. The receovery method is to have multiple youbikey or multiple 2FA. For example, if I disable youbikey I should't be allowed to disable also grid.
federico444
 
Posts: 3
Joined: Sun Feb 09, 2014 4:39 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby JohnS » Mon Aug 31, 2015 11:33 pm

> I also think that the email rescue metodh is quite insecure.

And there seems to be no easy way to disable it. It's either going to send to you regular email address or to the special one (if you have one set up). The suggestion to set up a "dummy" special email address requires some work, since it won't accept it unless it is verified. So it seems that you actually have to set up a real, working special email address. Then once verified you can just forget the password.

Let's face it, there is no bulletproof method get around a missing YubiKey. If there were, it would be a backdoor - and who wants those? But I've seen plenty of places use what I think are reasonable compromises. A SMS text message to a pre-validate number is pretty good, unless they steal your phone at the same time. But you could use a friend's phone number (and he could use yours).
JohnS
 
Posts: 6
Joined: Mon Aug 31, 2015 7:42 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby JohnS » Mon Aug 31, 2015 11:42 pm

Or... Don't use the YubiKey in the YubiCo OTP mode. Use it in OATH-TOTP mode. This way all you need to clone it (now or later) is the seed code. So when you set it up, write down the seed code and save it in a safe place (bank vault, friend's, etc). Then if you lose your only key all you need to do is get another (use the Google App till it arrives) with the same seed. It's still better to have the seed in a hardware key than in an app in the long run.

I'm new to LastPass, but I understand that there might also be a problem with multiple YubiKeys and offline storage. Only one key works? If so, OATH-TOTP would solve this problem, too.
JohnS
 
Posts: 6
Joined: Mon Aug 31, 2015 7:42 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby JuanjoG » Tue Jul 25, 2017 5:14 am

Lars Wrote:...you can very easily disable the feature to disable Yubikey (or any other disabling feature on LastPass). Simply put in a dummy email address as your Security Email Address - ie. blahblahblah@example.com - and what ever email is sent to disable your Yubikey, is non-existent, thus you can't disable the Yubikey.. Problem solved.


Hi Lars,
Instead of using an example.com email address, like blahblahblah@example.com, would it make sense to create a "security email address" with gmail, (juanjo.security@gmail.com for instance) with a very strong password, that I keep only written in a secure paper notebook? I would not access this security email address for anything other than disabling the yubikey, should the need arise? Of course, I have a different gmail address for everyday use.

Am I creating more security problems with this set up in your opinion?
Thanks.
JuanjoG
 
Posts: 2
Joined: Tue Jul 25, 2017 5:05 am

Re: You can disable YubiKey?? - You gotta be kidding

Postby jonat » Tue Jul 25, 2017 3:31 pm

That's effectively what I do - specify an email address I don't use for any other purpose and for which I remember the password.
jonat
 
Posts: 2209
Joined: Thu Dec 09, 2010 8:42 pm

PreviousNext

Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 17 guests