Make reinstatement too onerous and people won’t use it at all. The technology is great for a handful of sites, but apply it to dozens and it starts to weigh people down in exactly the same way passwords do. In the end, the argument in favour of cloud backup is that it’s a compromise designed to cope with the fact that multi-factor security doesn’t scale well. In theory – and it’s only “in theory” because the multi-factor backup is secured using the same security as any other LastPass data – anyone using Authenticator with multi-factor backup turned on might lose this defence in the same situation. What they won’t have without the phone or a reliable man-in-the middle compromise is a way of compromising the subset of sites inside the vault that have multi-factor authentication turned on independently. If LastPass is somehow compromised for users not using LastPass Authenticator, the attackers have access to all the passwords plus a way of bypassing LastPass’s own multi-factor authentication. Anyone wanting access to the vault will still have to get around both password and multi-factor security to gain access to critical data. Or you could argue that putting tokens inside a password manager is no less secure than putting lots of passwords inside a password manager in the first place. On the face of it, that goes against the point of multi-factor authentication – which is that there should never be one point of failure. Backing up multi-factor tokens to one place sounds risky because you are putting the multi-factor eggs in one basket. What the new cloud backup option offers is a to dodge this hassle by backing up the multi-factor tokens to the LastPass vault in an encrypted state.ĭoubtless, a few people will find this alarming – indeed, some do. However, the convenience comes with a small pitfall for the unwary – what happens if the smartphone running Authenticator tied to a user’s account is lost or stolen?īecause the phone’s subscriber IMEI is paired to the service during enrollment, setting up a new one requires users to go back to square one, which means re-enrolling (or re-instating using backup codes) every single third-party service it was being used with. It’s possible to do this from Google’s Authenticator app but, frankly, LastPass is better at it because it offers features such as one-tap push notifications which make using it quick and easy. The pitfall is clearly that she has access to the unique password assigned to said work account, but since I know her timeouts are proper, it's not world ending in my opinion (even if against company policy).As eagle-eyed users of LastPass will have noticed, the company recently introduced a cloud backup option for the company’s popular smartphone Authenticator app.Īuthenticator implements multi-factor authentication for LastPass and a range of third-party services supporting the Time-based One-Time Password (TOTP) algorithm such as Google, Facebook, Microsoft, WordPress, Dropbox, and so on. ![]() My wife can log in to my employee discount page with the login utilize the 2FA code to get in without needing to ask me to provide one. Obviously you need your master password to unlock the vault, and good practice would be setting the timeout and clearing of clipboard low enough to remain functional without compromising your security further.Īnother great aspect is the family sharing also shares the 2FA codes. If I autofill a page, it copies the 2FA code automatically and that can be pasted in. ![]() The benefit is what I hoped Lastpass Authenticator would be when I originally used it, I don't need to pick up my phone and load the app to get the code. ![]() ![]() Makes life a ton easier, but at the compromise that it's not a separate app and it propagates across devices. Bitwarden is where I ended up and it keeps the 2FA in itself. Authy does the trick, but again it meant I was still using 2 apps and had to grab my phone each time. Lastpass did make that easier, but it still wasn't perfect for me. I went a different way, GA and switching phones sucked in the past.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |