LastPass Forums

[adrianh77]

I just watched the video of how easy it is to use YubiKey with LastPassword and I saw that you can disable the YubiKey authentication. You gotta be kidding me, THIS IS NOT 2 FACTOR AUTH!!!! Yes, I'm yelling!! I just totally lost confidence in this product. It means that the passwords are encrypted/protected only with the LastPassword master password. Why .. why ... why...

[drew]

In order to disable YubiKey, you need to have access to your email account. You can setup an alternate security email account, and the disable requests will go there instead.

[adrianh77]

Two factor auth refers to the fact that two different authentication mechanisms are used to authenticate the user. Having two usernames/emails and passwords does not qualify as two factor auth. Not only that, but this option is disabled by default so you are guiding your users into an insecure default setting while reassuring them that it's safe because it's two factor auth. A keylogger installed on my machine will capture both passwords. First auth mechanism is usually what you know (username and password) and second mechanism is what you have (USB drive, smartcard, etc.). I understand that some of your users have lost their YubiKeys and they were upset, but I'm afraid you have thrown out the baby together with the water. By allowing a user authenticated only through a password to disable the YubiKey authentication you are rendering the whole thing useless. The proper fix would have been to show a big red warning that the user data will be lost if the password or the YubiKey is lost and have the user accept that warning, and not allow changing settings only with master password. Next best thing would probably be to give me a setting that would require both master password and YubiKey authentication in order to disable YubiKey.

This is a pretty big blunder in my opinion, especially from the leading Password Manager app, very disappointing.

[jpenny84]

Two factor auth refers to the fact that two different authentication mechanisms are used to authenticate the user. Having two usernames/emails and passwords does not qualify as two factor auth. Not only that, but this option is disabled by default so you are guiding your users into an insecure default setting while reassuring them that it's safe because it's two factor auth.

Nothing in the documentation states that the security email is two factor authentication. https://helpdesk.lastpass.com/account-s ... /security/

A keylogger installed on my machine will capture both passwords. First auth mechanism is usually what you know (username and password) and second mechanism is what you have (USB drive, smartcard, etc.). I understand that some of your users have lost their YubiKeys and they were upset, but I'm afraid you have thrown out the baby together with the water. By allowing a user authenticated only through a password to disable the YubiKey authentication you are rendering the whole thing useless. The proper fix would have been to show a big red warning that the user data will be lost if the password or the YubiKey is lost and have the user accept that warning, and not allow changing settings only with master password. Next best thing would probably be to give me a setting that would require both master password and YubiKey authentication in order to disable YubiKey.

This is a pretty big blunder in my opinion, especially from the leading Password Manager app, very disappointing.

If people's LastPass accounts would be rendered useless if they lost their keys or whatever the YubiKey was kept on, then they wouldn't use it. Ultimately your master password is your primary line of defense. OTP two factor auth systems like YubiKey and Google Authenticator are validated online anyways, so you can get around two factor auth in some cases by taking a browser with a cached copy of your LastPass data offline.

[Lars]

Adrian.. first off no need to yell anymore.

Secondly, if you had done your homework thoroughly, you would have found, that you can very easily disable the feature to disable Yubikey (or any other disabling feature on LastPass). Simply put in a dummy email address as your Security Email Address - ie. blahblahblah@example.com - and what ever email is sent to disable your Yubikey, is non-existent, thus you can't disable the Yubikey.. Problem solved.

The biggest blunder here, is you not knowing the product well enough, yet complaining about it.

[adrianh77]

Hi Lars, sorry for 'yelling' - I wasn't really yelling but I was outraged.

Simply put in a dummy email address as your Security Email Address - ie. blahblahblah@example.com - and what ever email is sent to disable your Yubikey, is non-existent, thus you can't disable the Yubikey.. Problem solved.

This is a ridiculous proposal, yes I've already read this proposal on another thread on this forum. Why don't you write an email an put your SSN, name, address, phone numbers, bank account user names and passwords in the body and then email it to blahblahblah@example.com because that email address does not exist? .... this is how I feel about this proposal.

Your mindset about security is wrong, I'll keep looking, functionally you probably have a good product, but I'm not convinced about its security, even less than before after this discussion. Thank you!

[adrianh77]

A better approach would have been to send an SMS with the URL/unlock code instead of an email. Using a channel other than email would have been better. Thank you!

[kilgry]

I don't see the problem.

If you are looking for foolproof security, you are not going to find it anywhere. I believe LastPass has done a lot to help improve the security of those who chose to use it. Is it foolproof? No.

SMS vs. Email...not really a biggy. Sure LastPass could add SMS as an option, but how much more security would it get you?

[jpenny84]

Not to mention the costs to support an SMS system considering LastPass is primarily a free service.

[Lars]

This is a ridiculous proposal, yes I've already read this proposal on another thread on this forum. Why don't you write an email an put your SSN, name, address, phone numbers, bank account user names and passwords in the body and then email it to blahblahblah@example.com because that email address does not exist? .... this is how I feel about this proposal.

I would have no issues what so ever doing that.. Anyone with the slightest bit of insight into online security, knows that the domain example.com is a dummy.. and nothing can be harvested from it.

Your mindset about security is wrong, I'll keep looking, functionally you probably have a good product, but I'm not convinced about its security, even less than before after this discussion. Thank you!

So because I use a -- very well working -- workaround to a problem, my "mindset about security is wrong"? That makes absolutely no sense what so ever. I know you don't know me or you would've known just how adamant I am about security.