I agree
I noticed lastpass was wittering on about my problem of typing in 6 digits. I think I will carry one using authenticator plus and suffer from the "Real" hassle it causes.
Password manager LastPass has added a new feature to its software: the ability to store two-factor authentication codes. This is great news. For hackers. Increasingly, people with sense use two-factor auth as a way of ensuring that it is much harder for miscreants to break into their accounts, and to detect if anyone is anyone …
Most people use the same username on all sites - and usually the same email address
personally, I use a different (and random) email address (from one of the 3 domains that I own) for most sites, together with a unique password for that site. It gives me the advantage of knowing if a site has been hacked (or has just sold my information), as I then see spam coming to an address that was only ever used on that single site.
Never sign in with any Social credentials (Facebook, Google+, Microsoft, etc...)
I also use a combination of KeePass for day to day stuff (several copies stored in different locations and synced every few weeks), encrypted text files contained in encrypted zip files on an encrypted USB stick for truly important stuff (with encrypted backups on my home NAS and at least one offline USB drive).
Me? paranoid? never! who said that I was?
"personally, I use a different (and random) email address (from one of the 3 domains that I own) for most sites, together with a unique password for that site."
I used to do that - and could alert suppliers when their unique address appeared in spam. Then Vodafone outsourced the Demon email service to a Microsoft 365 service. That now limits the addresses in your Demon subdomain to a maximum of 100 - and you have to register a new one before you can use it.
>>I use a different (and random) email address (from one of the 3 domains that I own)...
[engage Michael Caine voice]
Not a lot of people know this. But, if you use Gmail, you can also do this by adding +<something> to your gmail address and the emails will still get to you.
So, if your email is fred@gmail.com, you can sign up at Acme Widgets website with fred+acme@gmail.com. Then when you start getting spam at that address, you'll know exactly who sold on your data. I. have a junk Gmail address for exactly this purpose.
Also works on your own domains, if you use Google's mx servers to handle your email for those domains.
[Of course, needless to say, some eejit websites' email validators won't accept an email address with a + in it as being legit]
"However, many companies, including Google, Facebook and Dropbox also offer the ability to generate one-off access codes from a device or app. You usually scan a barcode unique to your account, and this is used to calculate a sequence of access codes, with a new code every minute or so."
Yeah, if someone manages to get into your LastPass account, sure. But wasn't that advantage already removed the very moment when the user themselves opted not to use a device such as a phone but instead opted for a one-off access code which is being sent to the same machine which they used to provide their username and password on?
How is this any different?
If they can pwn the point of entry, then any other kind of entry screening is moot since they still have to go through the point of entry. IOW, 2FA isn't going to work not because it's going to the same point as the pwned point of entry but because it'll have to go through the pwned point of entry anyway.
Is quite simply the best security policy.
The reason being that if someone has physical access to your computer then all bets on security are off.
That inch of wood between your keyboard and the password fools any and all internet hackers.
If someone is in your house, you have bigger fish to fry then your facebook/the register forum passwords.
"If someone is in your house, you have bigger fish to fry then your facebook/the register forum passwords."
I wouldn't do that in the office - but I totally agree about using the method at home. My bank account is secured by a stand-alone 2FA device to which the pin is in my head.
I always told people if they had to write down the password, to stick it in their wallet. Most people are very careful to not let their wallet out of their sight, and if it's ever stolen they'll know it and can change the password.
I don't really understand how these mechanisms can claim to be 2FA, if the second factor can be reduced to a piece of information that can be digitally duplicated into your LastPass. It's two things you know: your password and the seed value. Thats 1FA, not 2FA.
For it to be a real "something you have" factor, the key needs to be hidden inside some kind of hardware, like an RSA key or one of those bank PIN devices.
@Charles 9: if you lose your physical token, you're locked out until the administrator issues you a new one.
If your data is not sensitive enough to justify the extra hassle of 2-factor authentication, don't use 2-factor authentication.
I just don't like seeing people claiming their authentication system is 2FA when it's not.
RSA keys also use a seed value, so in that sense it's all information. The distinction between "something you have" and "something you know" is subtle. I have an RSA key, which has a seed on it. I have my phone, which has a seed on it. The only distinction is that one of them is a specialized computing device, and the other is general-purpose.
These pseudo-2FA systems use a seed that an end user can access, copy and put into another program. Real 2FA systems use a seed that's sealed inside tamper-resistant hardware, and can't be accessed without physically possessing and destroying the hardware. That seems a clear distinction to me.
I understand the worry about "putting your eggs in one basket" however the argument against Lastpass's support of 2FA is incomplete. If you decide to use the absolutely worst configuration for lastpass then yes, the article is correct. However, most LastPass users use 2FA to access lastpass and the more security conscious among us also make sure LastPass sessions are not perpetual.
If you are on my lastpass it means you are either me (as I have used 2FA to authenticate) or you have hijacked my machine. However, if you've hijacked my machine, you can just steal my session cookies or route your connection through my device to get into any account requiring 2FA not to mention you probably already have a keylogger installed. If your device is insecure, your accounts are toast. If your device is secure, then there is no threat to your other accounts protected by 2FA. Why do you need to juggle 7 different seeds instead of securely authenticating once with 2FA and then accessing your accounts? BTW, the argument used by this article can also be leveled at any application that aggregates 2FA seeds, for example, Google Authenticator...
If someone hacks your google authenticator they have access to all of the 2FA seeds stored in that application. To hack Google Authenticator you would need to compromise the device (same as lastpass). What is the solution? Would storing your authentication tokens on 7 different authentication apps make you more secure? Most likely not. If the device is compromised, all of those apps are likewise probably compromised. The only thing you've done is made people less likely to use 2FA because no one wants to juggle 7 different authentication apps (any one of which could contain security vulnerabilities which further decreases your device's security).
I understand the worry about "putting your eggs in one basket" however the argument against Lastpass's support of 2FA is incomplete. If you decide to use the absolutely worst configuration for lastpass then yes, the article is correct. However, most LastPass users use 2FA to access lastpass and the more security conscious among us also make sure LastPass sessions are not perpetual.
If you are on my lastpass it means you are either me (as I have used 2FA to authenticate) or you have hijacked my machine. However, if you've hijacked my machine, you can just steal my session cookies or route your connection through my device to get into any account requiring 2FA not to mention you probably already have a keylogger installed. If your device is insecure, your accounts are toast. If your device is secure, then there is no threat to your other accounts protected by 2FA. Why do you need to juggle 7 different seeds instead of securely authenticating once with 2FA and then accessing your accounts? BTW, the argument used by this article can also be leveled at any application that aggregates 2FA seeds, for example, Google Authenticator...
If someone hacks your google authenticator they have access to all of the 2FA seeds stored in that application. To hack Google Authenticator you would need to compromise the device (same as lastpass). What is the solution? Would storing your authentication tokens on 7 different authentication apps make you more secure? Most likely not. If the device is compromised, all of those apps are likewise probably compromised. The only thing you've done is made people less likely to use 2FA because no one wants to juggle 7 different authentication apps (any one of which could contain security vulnerabilities which further decreases your device's security).
They are free to hack lastpass. The way the architecture works Lastpass only stores an encrypted blob so the contents can't feasibly be obtained unless the master password is very weak. Lastpass doesn't even hold your master password. The only problem I see is if hackers somehow manage to replace the lastpass add-on with a malicious version in the app store and make people update to it. That means that Lastpass's certificate was compromised and that someone had the credentials to upload to the store and that there was no control to detect that a new extension/app was deployed without the relevant change control. I would say that the risk of all of that is much lower than the risk of having one password compromised and then having multiple accounts compromised because you were using the same password.
I feel it helps to limit on-line access to financial accounts. I can logon to my bank, but my account type won't let me move money around. The hacker in Moldavia can't transfer fund from my bank to his.
So the weakest point is online shopping. If they can logon and ship something from Amazon to their place, they got me. But Amazon has the address. Not a good way for the Moldovan hacker to get rich.
So what's left? They can hack into my Register account and put comments in under my name. So maybe, worst case, this message is from the hacker, not "Me".
It's not as if people tend to jump to conclusions either :)
Note that the guy who reported "serious problems" with LastPass Authenticator app later had to retract his primary concern: NO, it never was possible to hack in and gain access. That was his own misunderstanding based on an invalid test (using a local image rather than the actual LP-site-based image.)
Their only real vulnerability was to remote turn-off of 2FA. And that's been fixed.
Interestingly, LastPass has proven the security of their system the hard way: their central servers were hacked... and nothing useful was obtained or obtainable about their customers! They don't know, and don't have access to, your passwords, keys or anything else of use to a hacker.
I agree with others, based on experience: NO technology is completely secure. Everything has bugs, everything can in some way be hacked given sufficient time and knowledge of the humans involved. At this point, after extensive testing, I am using LP personally and with family.
LP certainly is not perfect: I have found numerous bugs in the UI, pain-in-the-neck feature implementations, etc etc. But nothing that exposes confidential information. (The main thing I don't like: I can share a record with another account, but the actual password is locked from visibility. In many use cases, that is unacceptable.)