cxt380 Wrote:I just found this after buying a Yubikey Neo specifically to use for Lastpass.
It's trivially easy to bypass the Yubikey 2FA, since whoever has access to your main email is able to disable it. If my desktop is compromised by a trojan, an attacker can trivially disable Yubikey 2FA since they have access to my email which is logged in, and they can keylog my master password, result in my entire vault being revealed. There should be a way to disable this feature (or at least have it take a long time to fire), since it defeats the entire point of having 2FA enabled in the way that if one device (the desktop) is compromised, the attacker can still disable 2FA and access your vault.
Furthermore, I can't even enter an invalid domain to disable the "Yubikey bypass email", since you're forced to validate the unlock key before you can set the recovery email.
However, there seems to be a reasonable tactic to block the "disable Yubikey" anti-feature:
1: Register for a new email, from a provider that supports Yubikey authentication (eg Gmail). Set this email as your recovery email.
2: Generate a long secure static password using the Yubikey and store the same password on all of your Yubikeys. Optionally (following Yubico recommendations), append or prepend that with a short passphrase.
3: An attacker attempting to disable Yubikey from your main device with your main email logged in will be prompted to login to the secondary email, and will not be able to do so since the secondary email is not accessible to them without a Yubikey.
It's pretty annoying that we have to go to such lengths to disable such an anti-feature.
jonat Wrote:It is true that someone who already has access to your email account has tremendous power. But for the purpose of LastPass and disabling 2FA, it doesn't have to be. LastPass allows you to specify a "security email" address, to which 2FA disable requests are sent. Ideally, you set this to a separate account that you don't use for normal purposes and for which you remember how to log in (don't save its password in LastPass.) I chose a webmail account on a service I don't use for other purposes. Yes, it's one more thing to remember but it allows you to use LastPass to manage your email password.
One might want to disable 2FA if you have lost access to the second factor (whatever it is).
Users browsing this forum: No registered users and 13 guests