back to article LastPass now supports 2FA auth, completely undermines 2FA auth

Password manager LastPass has added a new feature to its software: the ability to store two-factor authentication codes. This is great news. For hackers. Increasingly, people with sense use two-factor auth as a way of ensuring that it is much harder for miscreants to break into their accounts, and to detect if anyone is anyone …

Silver badge
Happy

@big_D: Re: Banking

big_D,

likewise [in the UK] my bank allows two types of e-banking logon, if I don't generate a string on the little gizmo in my wallet, I cannot setup any new payee destinations, if I logon to e-banking with the gizmo, I can.

And it uses part of the a/c code for the generation of the unique key that I have to type back into the browser.

So pretty good, not a pain in the butt and works!

Obvs I have no clue how robust the underlying schema and approach is, but there is only so much you can do...

Cheers,

Jay,

2
0

Re: @big_D: Banking

And your bank is HSBC?

They seem to have a good system but don't lose your gadget on an overseas holiday,

1
0
Silver badge

Re: @big_D: Banking

They seem to have a good system but don't lose your gadget on an overseas holiday,

They had a good system, but they seem increasingly desperate to ruin it by having everyone generate a code through their (shoddy) app instead.

I'd guess it's probably to do with the cost of getting RSA tokens, but they seem to be pushing the app generator harder and harder, so I've a feeling when the batteries give out on my dongle it may be hard to replace.

3
0
Silver badge

Re: Banking

" I need to generate a unique token using my debit card and card reader, plus the payee account number and the amount. This generates a unique code, which is used to verify the transaction."

Or, in the case of the card reader my bank sent me, is used to fail to verify the transaction. However the use cases needing this are very few; the only one I encountered was changing the email address. So the security device is a piece of crap but the good news is I don't have to use it!

0
1
Bronze badge

@AC: Re: Banking

Be careful about what you wish. https://xkcd.com/538/

1
0
Silver badge
Happy

@julian.smith: Re: @big_D: Banking

Julian,

First Direct, which is owned by HSBC.

Cheers,

Jay

0
0
Silver badge

Re: Banking

"The pin is only in my head and that card is never used outside the house."

So what happens when (not if) Murphy strikes and you FORGET your PIN?

0
0
Orv
Silver badge

Re: Banking

So what happens when (not if) Murphy strikes and you FORGET your PIN?

If it's like my bank, I go to the local branch, show my ID, and ask for it to be reset.

0
0
Silver badge

Re: Banking

Unless, of course, it's an extended weekend (coming up here in the US) and/or you're far from the nearest local branch (assuming they HAVE brick-and-mortar branches)? Or worse, they refuse to believe you?

0
0
Silver badge

2FA and OTP

Using a OTP as part of 2 factor authentication is a reasonably good method. BUT, if you are using it to authenticate an account on the mobile device where the 2FA is generated, then you completely lose any benefit of 2FA.

3
0
Silver badge

"detect if anyone is anyone"

Oddly enough "anyone" isn't in the OED. Anyon is, but I don't think we are discussing particle physics here.

0
0
Silver badge

Re: "detect if anyone is anyone"

"Oddly enough "anyone" isn't in the OED."

It's in the macOS Dikshunry, which I thought was based on the OED.

Its entry contains this note on usage:

usage: The two-word form any one is not the same as the one-word form anyone and the two forms cannot be used interchangeably. Any one means ‘any single (person or thing)’, as in: not more than twelve new members are admitted in any one year.

0
0
Silver badge

Re: "detect if anyone is anyone"

"It's in the macOS Dikshunry, which I thought was based on the OED."
There are several Oxford English dictionaries: The Pocket, the Concise, the Shorter... The Oxford English Dictionary is the 20 volume monster Mrs Git purchased me for my birthday several years ago when it was half-price. I already had the electronic version. I also have lots of dictionaries and an interesting book about dictionaries. I like words and was fascinated to discover a word in common use that wasn't in the OED. It's a first for me. Great one for a quiz night :-)

2
0

Re: "detect if anyone is anyone"

"Anyone" is in the Shorter OED (Sixth Edition, page 95) - can't vouch for any others.

0
0
Silver badge
Joke

Re: "detect if anyone is anyone"

> "Anyone" is in the Shorter OED (Sixth Edition, page 95) - can't vouch for any others.

In my head, Pompous has read that and is in the process of reenacting a very specific blackadder scene as he realises there's a word missing from his dictionary

0
0
Anonymous Coward

Re: "detect if anyone is anyone"

According to "publication history" for the entry at oed.com:

anyone, pron.

First published in OED First Edition (1885) as a subentry of “any, adj., pron., n., adv.”

OED Third Edition (March 2016) - fully updated and upgraded to full entry

0
0
Silver badge

Re: "detect if anyone is anyone"

I have the CD-ROM second edition. It has anyon, n. followed by anyplace, adv. Can't comment on dead-tree version at the moment; it's in storage. It does have any one under the entry for any (note the space between words). This can be found by typing anyone in the search box, but that's not how I usually use it. If you copy a word to the clipboard, the OED automagically looks it up for you.

0
0
Silver badge
Big Brother

Amateurs!

Keymat handling is where peeps fail hard on crypto.

0
2

2FA migration

I can sort of see the appeal of this, given the proliferation of sites supporting 2FA. You can easily imagine a situation where most sites require 2FA and we've just moved the "too many passwords" problem somewhere else.

Having just recently bought a new phone, had it develop a fault, and send it back I've had to go through the pain of migrating about ten 2FA registrations three times and it is a complete pain, even when most sites use compatible mechanisms. Seems there's a good opportunity to make it easier to transfer these in a secure fashion without storing them in the cloud.

1
0
Silver badge

Re: 2FA migration

"Having just recently bought a new phone, had it develop a fault, and send it back I've had to go through the pain of migrating about ten 2FA registrations three times... "
No backup then? Me and Mrs Git have three phones though only two in use at any one time. Actually, we have four but Mrs Git lost hers "somewhere in the house". Why was it turned off? To conserve electricity of course!

2
0
Silver badge

Re: 2FA migration

One, you can't properly back up a stock phone. Two, most OTP generators are keyed to both phone and Android serial, which can change on a restore. Used to happen to me with Authy.

1
0
Orv
Silver badge

Re: 2FA migration

At one point I got a cheap Chinese phone (a Doogee Valencia) and was puzzled to find I couldn't get Google Authenticator to produce working codes at all. Turns out the math library on the phone had a bug in one of its functions, producing incorrect results.

0
0

You can also require 2FA to get into LastPass in the first place. So I keep my other TOTP in that authenticator instead.

0
0
Silver badge

Being a bit pedantic LastPass doesn't do 2FA. Because LastPass in non-2FA mode doesn't do any authentication, it just lets anyone who knows the decryption key decrypt, LastPass's 2FA is their one and only means of authentication.

0
0
Orv
Silver badge

I'm not sure I see the distinction. Normally authentication works by running the user's input through a hashing function and seeing if it matches the stored hash. How is trying to use the users input as a decryption key, and seeing if it works, any less authenticating?

0
0
Silver badge
Flame

Once again: WE NEED A STANDARD !!!!

Before arsing about with AMP or HTML6 or whatever nonsense the marketing guys want, for the love of God can we not have an RFC or W3C devised standard on password generation, usage and storage ? It might address some of the problems highlighted above this comment ?

1) Password length

2) Allowed characters

3) Encrypted storage

4) Lost password reset (i.e. no emailing password in plaintext !!!!!)

etc etc

all of which should have been address BEFORE we started worrying about rounded edges in CSS.

6
0
Silver badge

Re: Once again: WE NEED A STANDARD !!!!

Well, that would be easy:

Password length - Any. Don't stop me from creating a 100 character password.

Allowed characters - Any. Don't stop me from using Cyrillic letters.

Encrypted storage - No. No storage at all. You don't store passwords, not even encrypted. You store a salted hash. Everything else, the CEO of the company, the manager allowing it, and the developer deserve their balls to be cut off, with something equivalent if they are female.

Lost password reset: Well, that means anyone can get into your account with one factor less :-(

10
0
Silver badge

Re: Once again: WE NEED A STANDARD !!!!

"can we not have an RFC or W3C devised standard on password generation, usage and storage ?"

Which everyone will implement with their own little amendments. Like IE implemented HTML.

0
1
Joke

Obligatory XKCD (was: Once again: WE NEED A STANDARD !!!!)

https://xkcd.com/927

(No, not 'Correct Horse Battery Staple', the one about standards)

2
0
Bronze badge

Re: Obligatory XKCD (was: Once again: WE NEED A STANDARD !!!!)

one of my favourites

0
0
Anonymous Coward

Last weeks "outage"

Lastpass does keep a local vault too, so I wasn't too affected.

1
0
Anonymous Coward

I prefer being cryptic about something only I know

In my computers I have a list of hints to phrases or details that only I would think of -often from deep in my childhood-(with the odd substituted letter or number). As in "That phrase your deputy head always used to quote" or "What dad used to call his first car with its number". And frankly, if anyone could work those out I have worse things to worry about than being hacked. With 2FA for password resets if I get too cryptic.

0
0
Silver badge

Re: I prefer being cryptic about something only I know

"In my computers I have a list of hints to phrases or details that only I would think of -often from deep in my childhood-(with the odd substituted letter or number)."
Some years ago I created a Yahoo! account, but when the need for it ceased, didn't use it for some considerable period of time. When attempting to use it again, was told I needed to change my password. I was presented with my "secret questions" and discovered I no longer knew my grandfather's name, the school I went to etc.

Ya gotta laugh:-)

4
0
Silver badge

I have standard responses for those kind of questions, and the answers have obviously nothing to do with historical fact.

My first pet's name is something like "chicken", my first school could be Cygnus 1B and so on.

It helps that I have a password database to keep all that stuff in.

7
0
Silver badge

Re: I prefer being cryptic about something only I know

"What dad used to call his first car with its number".

Beware that old photo surfacing online.

1
0
Anonymous Coward

Re: I prefer being cryptic about something only I know

Beware that old photo surfacing online

True, but I don't quite use that one. And it was a long time ago And there is no one who would be in the business of scanning such a photo, even if it existed, to put online, and it wouldn't be identifiable with me anyway.

2
0
Happy

Date of birth

When, for no obvious reason, I am asked to give my birth date, I will usually put 01/01/1980 - the lowest possible date in the FAT file system. This is clearly when obesity started...

5
0
Coat

Re: Date of birth

But "01/01/1980" isn't a date - it's an incomprehensible string of decimal digits and slashes. A date has the format "yyyy-mm-dd".

https://xkcd.com/1179/

3
0
Silver badge

Re: Date of birth

So you say all your dates (xxxx, mm dd)?

What about all the hispanics and so on that say "dd de mm, yy" (or simply English who say "ddth of mm, yyyy")?

Anyway, the mm/dd/yyyy format is consistent with Americans and many other English speakers who say "mm ddth, yyyy".

The ISO date format is as much a mishmash of letters and dashes as any other date format. The ONLY reason it's so useful in computers is that it AUTOMATICALLY sorts dates chronologically if you perform a simple ASCII sort (to the second if you use the extended format which includes a 24-hour time).

0
0
Silver badge

But we still have that first-factor snafu

I'll admit I've typed my password into the login box more than once - plain-text, unmasked. I think that happens because I'm old and that some sites come with pre-filled username fields (thanx, browser) and others don't.

Or when I accidentally type in a password from one site into another's password field. Not hard to do at work when I'm switching between 3-4 login screens.

PEBKAC

2
0
Anonymous Coward

Adding 2fa to LastPass with 2fa active is exactly like adding a password to Lastpass there is no extra risk.

As for Lastpass breaches, unless someone had a really easy master PW (without 2fa) the passwords in the vault should be safe.

I never activate (or deactivate) auto fill I usually have multiple logins for sites so auto fill doesn't work for me anyway.

1
1

Adding 2fa to LastPass with 2fa active is exactly like adding a password to Lastpass there is no extra risk.

As for Lastpass breaches, unless someone had a really easy master PW (without 2fa) the passwords in the vault should be safe.

I never activate (or deactivate) auto fill I usually have multiple logins for sites so auto fill doesn't work for me anyway.

0
0
Silver badge

New password system

I am currently implementing a new universal password system, one I feel confident will cause the vast majority of would-be hackers to go find someone easier to hack. It's not impossible to hack, nothing is, but I want to make it sufficiently difficult to hack that noxious persons go after lower-hanging fruit.

1 create a base passcode. The base is a ten-digit combination of uppercase, lowercase, numbers, and special characters. It is split into two parts (and no, I will not be telling how many characters are in each part.) It is chosen specifically to have absolutely nothing to do with any of my personal info, or with any particular site, or anything at all that I can think of. It's as nearly random as I can make it.

2 generate a unique passcode for each site, typically eight to ten characters, uppercase, lowercase, numbers, and special characters. Because the unique passcode is set up specifically for each site, it is chosen in a way that makes sense to me, and probably not to anyone else.

3 put part of the base code, then the unique code, then the rest of the base code. Note that the leading few characters and the trailing few characters are always the same, but the characters in the middle, and the total number of characters, changes for each site.

Should the bad guys by some miracle manage to figure out what I use for the leading few and trailing few, they still have to work out that stuff in the middle. And the password is, overall, an 18 to 20 character password. Lots of luck breaking it. It can be done, but there are other people who have far weaker passwords. If someone were to work out what I use for the first x characters and the last y characters, they would then only have to break the middle 8-10 characters. Quite possible. But first they gotta have enough examples of my stuff to work out the base code. That would be a non-trivial exercise. If the Feds are actively hunting me, specifically, they can gather the info necessary. (Or, more likely, get a search warrant and haul me before the courts when I decline to provide them the password.) The majority of criminal gangs won't bother. And I can always make things interesting for anyone trying to break my password by altering the split in the base passcode, or by simply adding a character or two.

There are, unfortunately, some places which restrict the maximum number of characters in a password, and some places which don't allow all of the special characters, and some places which do both. I let the admins at those places know that they have an insecure site (and they just love me for it, they do) and generate a unique passcode just for them. They are the ones who case me trouble to remember the password, as they don't fit the normal pattern. I try to avoid sites like that.

There are sites which are simply not worth the effort involved in generating a secure password. (I'm looking at you, El Reg.) They get a much simpler generic eight to ten character passcode.

0
5
Anonymous Coward

2FA -> 1FA

It's called two factors, because it combines something you know with something you possess.

The thing you know is your login/password combination. The thing you possess is a device that can generate an authentication code, via a secret seed.

Of course, the whole point of a 2FA machine is lost if you DON'T KEEP IT A SECRET! Why are you storing it with your username/password, eh? :v

0
0
Silver badge

2FA has been broken for a while

You log in from your phone and a verification token is pushed to your phone. That's not 2FA anymore. It just means that the malware needs to be put on your phone rather than your desktop computer.

Token generator key fobs are a bit better because it must be physically stolen and used before the owner deactivates it.

2
1
Silver badge

Re: 2FA has been broken for a while

Oh? What if they steal the secrets needed to crack the algorithm? Wasn't that what the RSA attack was about?

PS. If they pwn the login point, then no amount of security will work because it can hijack anything at the point of entry. Even OTPs.

0
0
Orv
Silver badge

Re: 2FA has been broken for a while

The separate token generator doesn't help if your endpoint is compromised, either; they can just intercept the token when you type it in. Granted, it has to be used immediately, but that's a minor hurdle.

The real weakness of most 2FA schemes isn't the 2FA scheme itself, but the session token generated once you log in. The session token is effectively a 1FA, since no one wants to type in a token number every single time they click a button on the site. Anything that allows stealing or predicting that token will result in a security hole. (Both Twitter and Discord have suffered attacks based on this.)

0
0

How would you then solve the problem of having multiple 2FA accounts and you loose/change/factory reset your phone. You get locked out of your accounts or you manually uninstall 2FA on each accounts. Every time.

By the way... Authy does 2FA backups also.

1
0
Orv
Silver badge

For my GMail account I have an OTP that I printed out as an alternative form of 2FA. Once I log in with that, I can add my new phone.

0
0
Thumb Up

scott

tiger

3
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017