Page 3 of 4

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Sun Jul 07, 2013 11:48 am
by rlarian
i agree that you should need a YubiKey password to disable YubiKey. You can have 5 YoubiKeys associated to your account, so lose one and just use one of your other to disable. You can also create a printed copy of OTPs to use in just such an event.

No reason not to require YubiKey to disable it as a default - and the ability to disable this function if you don't want to use this secure feature - but on by default.

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Wed Aug 14, 2013 12:57 pm
by jarlpforum
pauls840 Wrote:What is the purpose of 2 factor on the LP app if the authenticating device is the same one running the LP app?

I'm also curious about this setup, having LP and the two-factor on the same device. If you don't have a good locking password on the device and you lose it, you've essentially lost half your two-factor security by giving away your LP and authenticator. What's more, it's the stronger half, the part that changes every 60 seconds. All that's needed to complete the picture is figuring out your static lastpass password. Hopefully, that's something different from your device locking password.

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Wed Aug 14, 2013 2:04 pm
by jonat
You may as well tell LP to trust the device you have Authenticator on. But someone would need both your password AND your device to log in to LP on some other device, hence the added security. Without 2FA, only your password is needed and you'd not be the wiser.

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Wed Aug 14, 2013 2:37 pm
by jarlpforum
jonat Wrote:You may as well tell LP to trust the device you have Authenticator on. But someone would need both your password AND your device to log in to LP on some other device, hence the added security. Without 2FA, only your password is needed and you'd not be the wiser.


But isn't the Settings->Mobile Devices->Restrict check box independent of 2FA? It seems I could lock out any mobile device not on my list of approved devices, even without 2FA in effect.

On the other hand, for "Trusted Computers", it does seem that 2FA is the only way to add more security than just password login. What's to stop someone hopping on any old computer to try to log into my lastpass account if they get my password?

I'd love to have 2FA on my IOS, but it just seems a little less secure having both the authenticator and LP on the same device than if the authenticator were a different device. It feels like taping one key to a safety deposit box that takes two keys.

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Wed Aug 14, 2013 3:45 pm
by jonat
You could use the Restrict checkbox, but that is not absolutely secure. As you say, 2FA is the way to add more security than a password. For my devices, I have my iOS devices trusted as I'm less concerned about someone stealing the device AND knowing my password. As I said, having authenticator on the same device renders 2FA pointless on that device. But it does block someone who learns your password from logging in on their own computer/device.

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Sat Nov 29, 2014 2:10 pm
by federico444
I also think that the email rescue metodh is quite insecure. The receovery method is to have multiple youbikey or multiple 2FA. For example, if I disable youbikey I should't be allowed to disable also grid.

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Mon Aug 31, 2015 11:33 pm
by JohnS
> I also think that the email rescue metodh is quite insecure.

And there seems to be no easy way to disable it. It's either going to send to you regular email address or to the special one (if you have one set up). The suggestion to set up a "dummy" special email address requires some work, since it won't accept it unless it is verified. So it seems that you actually have to set up a real, working special email address. Then once verified you can just forget the password.

Let's face it, there is no bulletproof method get around a missing YubiKey. If there were, it would be a backdoor - and who wants those? But I've seen plenty of places use what I think are reasonable compromises. A SMS text message to a pre-validate number is pretty good, unless they steal your phone at the same time. But you could use a friend's phone number (and he could use yours).

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Mon Aug 31, 2015 11:42 pm
by JohnS
Or... Don't use the YubiKey in the YubiCo OTP mode. Use it in OATH-TOTP mode. This way all you need to clone it (now or later) is the seed code. So when you set it up, write down the seed code and save it in a safe place (bank vault, friend's, etc). Then if you lose your only key all you need to do is get another (use the Google App till it arrives) with the same seed. It's still better to have the seed in a hardware key than in an app in the long run.

I'm new to LastPass, but I understand that there might also be a problem with multiple YubiKeys and offline storage. Only one key works? If so, OATH-TOTP would solve this problem, too.

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Tue Jul 25, 2017 5:14 am
by JuanjoG
Lars Wrote:...you can very easily disable the feature to disable Yubikey (or any other disabling feature on LastPass). Simply put in a dummy email address as your Security Email Address - ie. blahblahblah@example.com - and what ever email is sent to disable your Yubikey, is non-existent, thus you can't disable the Yubikey.. Problem solved.


Hi Lars,
Instead of using an example.com email address, like blahblahblah@example.com, would it make sense to create a "security email address" with gmail, (juanjo.security@gmail.com for instance) with a very strong password, that I keep only written in a secure paper notebook? I would not access this security email address for anything other than disabling the yubikey, should the need arise? Of course, I have a different gmail address for everyday use.

Am I creating more security problems with this set up in your opinion?
Thanks.

Re: You can disable YubiKey?? - You gotta be kidding

PostPosted: Tue Jul 25, 2017 3:31 pm
by jonat
That's effectively what I do - specify an email address I don't use for any other purpose and for which I remember the password.