You can disable YubiKey?? - You gotta be kidding

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Re: You can disable YubiKey?? - You gotta be kidding

Postby cxt380 » Fri Jun 22, 2018 2:48 pm

I just found this after buying a Yubikey Neo specifically to use for Lastpass.

It's trivially easy to bypass the Yubikey 2FA, since whoever has access to your main email is able to disable it. If my desktop is compromised by a trojan, an attacker can trivially disable Yubikey 2FA since they have access to my email which is logged in, and they can keylog my master password, result in my entire vault being revealed. There should be a way to disable this feature (or at least have it take a long time to fire), since it defeats the entire point of having 2FA enabled in the way that if one device (the desktop) is compromised, the attacker can still disable 2FA and access your vault.

Furthermore, I can't even enter an invalid domain to disable the "Yubikey bypass email", since you're forced to validate the unlock key before you can set the recovery email.

However, there seems to be a reasonable tactic to block the "disable Yubikey" anti-feature:

1: Register for a new email, from a provider that supports Yubikey authentication (eg Gmail). Set this email as your recovery email.

2: Generate a long secure static password using the Yubikey and store the same password on all of your Yubikeys. Optionally (following Yubico recommendations), append or prepend that with a short passphrase.

3: An attacker attempting to disable Yubikey from your main device with your main email logged in will be prompted to login to the secondary email, and will not be able to do so since the secondary email is not accessible to them without a Yubikey.

It's pretty annoying that we have to go to such lengths to disable such an anti-feature.
cxt380
 
Posts: 2
Joined: Fri Jun 22, 2018 2:23 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby damjam » Mon Sep 10, 2018 1:09 pm

cxt380 Wrote:I just found this after buying a Yubikey Neo specifically to use for Lastpass.

It's trivially easy to bypass the Yubikey 2FA, since whoever has access to your main email is able to disable it. If my desktop is compromised by a trojan, an attacker can trivially disable Yubikey 2FA since they have access to my email which is logged in, and they can keylog my master password, result in my entire vault being revealed. There should be a way to disable this feature (or at least have it take a long time to fire), since it defeats the entire point of having 2FA enabled in the way that if one device (the desktop) is compromised, the attacker can still disable 2FA and access your vault.

Furthermore, I can't even enter an invalid domain to disable the "Yubikey bypass email", since you're forced to validate the unlock key before you can set the recovery email.

However, there seems to be a reasonable tactic to block the "disable Yubikey" anti-feature:

1: Register for a new email, from a provider that supports Yubikey authentication (eg Gmail). Set this email as your recovery email.

2: Generate a long secure static password using the Yubikey and store the same password on all of your Yubikeys. Optionally (following Yubico recommendations), append or prepend that with a short passphrase.

3: An attacker attempting to disable Yubikey from your main device with your main email logged in will be prompted to login to the secondary email, and will not be able to do so since the secondary email is not accessible to them without a Yubikey.

It's pretty annoying that we have to go to such lengths to disable such an anti-feature.

Can't agree more.
My question is, if you can register multiple Yubikeys to the account, why would you need to disable the Yubikey at all?
damjam
 
Posts: 4
Joined: Mon Sep 10, 2018 10:43 am

Re: You can disable YubiKey?? - You gotta be kidding

Postby jonat » Tue Sep 11, 2018 8:35 pm

It is true that someone who already has access to your email account has tremendous power. But for the purpose of LastPass and disabling 2FA, it doesn't have to be. LastPass allows you to specify a "security email" address, to which 2FA disable requests are sent. Ideally, you set this to a separate account that you don't use for normal purposes and for which you remember how to log in (don't save its password in LastPass.) I chose a webmail account on a service I don't use for other purposes. Yes, it's one more thing to remember but it allows you to use LastPass to manage your email password.

One might want to disable 2FA if you have lost access to the second factor (whatever it is).
jonat
 
Posts: 2192
Joined: Thu Dec 09, 2010 8:42 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby damjam » Wed Sep 12, 2018 7:16 pm

jonat Wrote:It is true that someone who already has access to your email account has tremendous power. But for the purpose of LastPass and disabling 2FA, it doesn't have to be. LastPass allows you to specify a "security email" address, to which 2FA disable requests are sent. Ideally, you set this to a separate account that you don't use for normal purposes and for which you remember how to log in (don't save its password in LastPass.) I chose a webmail account on a service I don't use for other purposes. Yes, it's one more thing to remember but it allows you to use LastPass to manage your email password.

One might want to disable 2FA if you have lost access to the second factor (whatever it is).


I've done what has been suggested re "security email."
BTW if you don't set a security email LastPass simply sends the disable email the the account email address. :shock: Which is what the prior poster was referring to I believe. I can imagine some users might mistakenly believe that not setting a security email protects them in some way. By believing no notices go out or something.

I'm still confused as to how you would loose access to the second factor if you have registered more than one key.
The only thing I can imagine is some sort of glitch with the software or hardware.
Not meaning to be harsh but, if you can't keep at least one Yubikey secure, maybe you shouldn't be using them in the first place.
damjam
 
Posts: 4
Joined: Mon Sep 10, 2018 10:43 am

Re: You can disable YubiKey?? - You gotta be kidding

Postby makdaddy8888993 » Thu Sep 13, 2018 9:29 pm

Too much reading but from my take I can see 2 options. You wither allow customers to have the option to enforce Yubikey (keeping some people happy, but don't complain when your dog chews your key) or not.

I think Adrianh77 is correct about not being able to disable YubiKey but I'd hate the logistical support burden caused by enforcement.

BTW SMS authentication is a terrible idea. SMS is not secured and people's mobile phone numbers can be stolen by cleaver social attacks, eg sim swap.
makdaddy8888993
 
Posts: 3
Joined: Tue Feb 03, 2015 9:23 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby swisschris » Wed Jun 12, 2019 8:26 am

It was suggested in this thread by "Lars" (memberlist.php?mode=viewprofile&u=79269) to give a non-existant Security Email address as a workaround to disabling email as backup for lost 2FA.
I tried it. Lastpass requires email verification for this address. In other words, you HAVE to give a valid email address to which you have access. Hence, there's no way to deactivate email as backup for lost 2FA !
swisschris
 
Posts: 4
Joined: Sun Mar 26, 2017 6:29 am

Previous

Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 16 guests