You can disable YubiKey?? - You gotta be kidding

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

You can disable YubiKey?? - You gotta be kidding

Postby adrianh77 » Wed Mar 13, 2013 11:44 am

I just watched the video of how easy it is to use YubiKey with LastPassword and I saw that you can disable the YubiKey authentication. You gotta be kidding me, THIS IS NOT 2 FACTOR AUTH!!!! Yes, I'm yelling!! I just totally lost confidence in this product. It means that the passwords are encrypted/protected only with the LastPassword master password. Why .. why ... why...
adrianh77
 
Posts: 5
Joined: Wed Mar 13, 2013 11:38 am

Re: You can disable YubiKey?? - You gotta be kidding

Postby drew » Wed Mar 13, 2013 11:50 am

In order to disable YubiKey, you need to have access to your email account. You can setup an alternate security email account, and the disable requests will go there instead.
drew
 
Posts: 1081
Joined: Tue Aug 19, 2008 5:47 pm
Location: Washington, DC USA

Re: You can disable YubiKey?? - You gotta be kidding

Postby adrianh77 » Thu Mar 14, 2013 1:09 am

Two factor auth refers to the fact that two different authentication mechanisms are used to authenticate the user. Having two usernames/emails and passwords does not qualify as two factor auth. Not only that, but this option is disabled by default so you are guiding your users into an insecure default setting while reassuring them that it's safe because it's two factor auth. A keylogger installed on my machine will capture both passwords. First auth mechanism is usually what you know (username and password) and second mechanism is what you have (USB drive, smartcard, etc.). I understand that some of your users have lost their YubiKeys and they were upset, but I'm afraid you have thrown out the baby together with the water. By allowing a user authenticated only through a password to disable the YubiKey authentication you are rendering the whole thing useless. The proper fix would have been to show a big red warning that the user data will be lost if the password or the YubiKey is lost and have the user accept that warning, and not allow changing settings only with master password. Next best thing would probably be to give me a setting that would require both master password and YubiKey authentication in order to disable YubiKey.

This is a pretty big blunder in my opinion, especially from the leading Password Manager app, very disappointing.
adrianh77
 
Posts: 5
Joined: Wed Mar 13, 2013 11:38 am

Re: You can disable YubiKey?? - You gotta be kidding

Postby jpenny84 » Thu Mar 14, 2013 2:25 am

adrianh77 Wrote:Two factor auth refers to the fact that two different authentication mechanisms are used to authenticate the user. Having two usernames/emails and passwords does not qualify as two factor auth. Not only that, but this option is disabled by default so you are guiding your users into an insecure default setting while reassuring them that it's safe because it's two factor auth.


Nothing in the documentation states that the security email is two factor authentication. https://helpdesk.lastpass.com/account-s ... /security/

A keylogger installed on my machine will capture both passwords. First auth mechanism is usually what you know (username and password) and second mechanism is what you have (USB drive, smartcard, etc.). I understand that some of your users have lost their YubiKeys and they were upset, but I'm afraid you have thrown out the baby together with the water. By allowing a user authenticated only through a password to disable the YubiKey authentication you are rendering the whole thing useless. The proper fix would have been to show a big red warning that the user data will be lost if the password or the YubiKey is lost and have the user accept that warning, and not allow changing settings only with master password. Next best thing would probably be to give me a setting that would require both master password and YubiKey authentication in order to disable YubiKey.

This is a pretty big blunder in my opinion, especially from the leading Password Manager app, very disappointing.


If people's LastPass accounts would be rendered useless if they lost their keys or whatever the YubiKey was kept on, then they wouldn't use it. Ultimately your master password is your primary line of defense. OTP two factor auth systems like YubiKey and Google Authenticator are validated online anyways, so you can get around two factor auth in some cases by taking a browser with a cached copy of your LastPass data offline.
jpenny84
 
Posts: 8854
Joined: Tue Mar 06, 2012 9:10 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby Lars » Thu Mar 14, 2013 2:30 am

Adrian.. first off no need to yell anymore.

Secondly, if you had done your homework thoroughly, you would have found, that you can very easily disable the feature to disable Yubikey (or any other disabling feature on LastPass). Simply put in a dummy email address as your Security Email Address - ie. blahblahblah@example.com - and what ever email is sent to disable your Yubikey, is non-existent, thus you can't disable the Yubikey.. Problem solved.

The biggest blunder here, is you not knowing the product well enough, yet complaining about it.
Lars
 
Posts: 2577
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: You can disable YubiKey?? - You gotta be kidding

Postby adrianh77 » Fri Mar 15, 2013 1:21 am

Hi Lars, sorry for 'yelling' - I wasn't really yelling but I was outraged.

Simply put in a dummy email address as your Security Email Address - ie. blahblahblah@example.com - and what ever email is sent to disable your Yubikey, is non-existent, thus you can't disable the Yubikey.. Problem solved.


This is a ridiculous proposal, yes I've already read this proposal on another thread on this forum. Why don't you write an email an put your SSN, name, address, phone numbers, bank account user names and passwords in the body and then email it to blahblahblah@example.com because that email address does not exist? .... this is how I feel about this proposal.

Your mindset about security is wrong, I'll keep looking, functionally you probably have a good product, but I'm not convinced about its security, even less than before after this discussion. Thank you!
adrianh77
 
Posts: 5
Joined: Wed Mar 13, 2013 11:38 am

Re: You can disable YubiKey?? - You gotta be kidding

Postby adrianh77 » Fri Mar 15, 2013 1:33 am

A better approach would have been to send an SMS with the URL/unlock code instead of an email. Using a channel other than email would have been better. Thank you!
adrianh77
 
Posts: 5
Joined: Wed Mar 13, 2013 11:38 am

Re: You can disable YubiKey?? - You gotta be kidding

Postby kilgry » Fri Mar 15, 2013 7:11 pm

I don't see the problem.

If you are looking for foolproof security, you are not going to find it anywhere. I believe LastPass has done a lot to help improve the security of those who chose to use it. Is it foolproof? No.

SMS vs. Email...not really a biggy. Sure LastPass could add SMS as an option, but how much more security would it get you?
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby jpenny84 » Fri Mar 15, 2013 7:26 pm

Not to mention the costs to support an SMS system considering LastPass is primarily a free service.
jpenny84
 
Posts: 8854
Joined: Tue Mar 06, 2012 9:10 pm

Re: You can disable YubiKey?? - You gotta be kidding

Postby Lars » Fri Mar 15, 2013 11:38 pm

adrianh77 Wrote:This is a ridiculous proposal, yes I've already read this proposal on another thread on this forum. Why don't you write an email an put your SSN, name, address, phone numbers, bank account user names and passwords in the body and then email it to blahblahblah@example.com because that email address does not exist? .... this is how I feel about this proposal.

I would have no issues what so ever doing that.. Anyone with the slightest bit of insight into online security, knows that the domain example.com is a dummy.. and nothing can be harvested from it.

adrianh77 Wrote:Your mindset about security is wrong, I'll keep looking, functionally you probably have a good product, but I'm not convinced about its security, even less than before after this discussion. Thank you!

So because I use a -- very well working -- workaround to a problem, my "mindset about security is wrong"? That makes absolutely no sense what so ever. I know you don't know me or you would've known just how adamant I am about security.
Lars
 
Posts: 2577
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Next

Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 11 guests