Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security

LastPass No Longer Requires a Password To Access Your Vault (engadget.com) 29

Posted by BeauHD from the passwordless-future dept.
LastPass says they're now the first password manager with a passwordless sign-in feature. Engadget reports: Grant permission through the LastPass Authenticator mobile app and you can update account info on the web without entering your master password. The approach relies on FIDO-compliant password-free technology. The feature is available to both personal and business users. LastPass is also promising options beyond the Authenticator app in the future, such as relying on biometric scans or hardware security keys.
This discussion has been archived. No new comments can be posted.

LastPass No Longer Requires a Password To Access Your Vault More

LastPass No Longer Requires a Password To Access Your Vault

Comments Filter:

  • Wonderful /sarcasm (Score:4, Insightful)

    by fahrbot-bot ( 874524 ) on Monday June 06, 2022 @08:55PM (#62598710)

    Grant permission through the LastPass Authenticator mobile app and you can update account info on the web without entering your master password.

    And then your phone dies or gets lost/stolen ...

    LastPass is also promising options beyond the Authenticator app in the future, such as relying on biometric scans or hardware security keys.

    And then your face or fingerprint unlocks *all* your accounts.

    • They already had hardware keys...for paying customers.

    • It's progress for the sake of progress, mate. If any of Lastpass engineers had doubts about it, I'm sure they were quickly shut down by their incompetent product or marketing managers.

  • xkcd still applies (Score:4, Funny)

    by awwshit ( 6214476 ) on Monday June 06, 2022 @09:01PM (#62598716)

    https://xkcd.com/538/ [xkcd.com]

  • first for a very specific defnition of first (Score:3)

    by vux984 ( 928602 ) on Monday June 06, 2022 @09:03PM (#62598720)

    I sign into bitwarden on my phone with biometrics all the time and have done for months.
    Lastpass might well be the first to link web-login to the app biometric login though, which is a nice step.

    Of course, most of this passwordless stuff is BS ... for most of them you still fall back on a password as soon as the new-shiny-passwordless-login-option fails or isn't available for some reason, in which case its not more secure than a password because its STILL secured by a password, and now you have another way TOO.

    You can't make system more secure than the weakest link by adding other links.

    • You can't make system more secure than the weakest link by adding other links.

      Every time you use your password somewhere there's a risk you're entering it into a phishing login prompt.

      Every computer that you type your password into is a computer that might have a keylogger installed on harvesting credentials.

      Every server that stores a password is a server that might not have salted their database properly and could be theoretically brute forced.

      • My phone where I run the app could be hacked too. There is no perfect solution.

      • Re: (Score:3)

        by vux984 ( 928602 )

        "Every time you use your password somewhere there's a risk you're entering it into a phishing login prompt."

        2FA proxying is a thing. They send you to a fake lastpass login, you click "passwordless login baby!" they proxy that request over to the real lastpass, your phone beeps, you authenticate, and the bad actors are in.

        Or the phishing page says... hey... oops there was an error. Something isn't working. We need to fall back to the recovery password, or we need to confirm your password, or whatever, and th

        • Re: (Score:2)

          by AmiMoJo ( 196126 )

          2FA proxying is easy to defeat though. If you use a security key it can simply check the URL making the request, and the browser will always send the top level iFrame one so they can't fool it that way.

          Google pops up a prompt on your phone, which again cannot be created by any website other than Google.

          • Re: (Score:2)

            by vux984 ( 928602 )

            "2FA proxying is easy to defeat though. If you use a security key it can simply check the URL making the request, and the browser will always send the top level iFrame one so they can't fool it that way."

            You can beat a security key if you can get a fake cert the client trusts. Like it would be pretty easy if you can compromis a corporate cert -- where all the employee machines trust it it. Then you can phish corporate employees e.g. google accounts even if they have security keys on them.

            But I agree, a gett

      • Every time you use your password somewhere there's a risk you're entering it into a phishing login prompt.

        This is the exact problem FIDO2 attempts to solve. Passwords can be phished, so they don't want you to enter passwords anywhere. Instead, you use a public/private key pair based login. If a phishing attack manages to steal your PIN/fingerprint/etc, it doesn't do them any good unless they also steal (or remotely control) your device(s) too.

  • lol hahaha funny

  • Faster to type password (Score:3, Informative)

    by TallGuyRacer ( 920071 ) on Tuesday June 07, 2022 @01:13AM (#62599116) Homepage
    I've just tried this because I was curious. However, I suspect by the time I've pulled out my phone, unlocked it with a thumbprint, approved the request in the Lastpass Authenticator app (which does open automatically), and then verified my thumbprint again, it would have been quicker and easier to have just typed in my password. Will keep the setting for now, but will likely changed it back after I get sufficiently annoyed.
  • Iâ(TM)ll stick with 1password, thanks anyway

  • Biometrics are a horrible authentication factor (Score:5, Insightful)

    by devslash0 ( 4203435 ) on Tuesday June 07, 2022 @05:51AM (#62599402)

    The problem with biometrics is that you can't change them. Say your password leaks. No problem - you can change it within minutes. The same does not apply to biometrics - you can't replace your papillary lines, irises or a facial pattern. Once your biometrics leak from any system, you're screwed - the thieves can now impersonate you with 100% accuracy every time from now on.

    Or say you have an accident that changes one of your biometrics - you're fked too.

    Meanwhile, the article states that LastPass wants to move away from a master password altogether and rely on bio alone.

    https://www.csoonline.com/arti... [csoonline.com]

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      That's why you never use your biometrics as the key. At most, you use them to quickly unlock the key after you already authenticated using a good password.

      Maybe you have a different threat model, and that's fine. Don't use biometrics at all. But for 99% of people they make them more secure, not less. 99% of people re-use the same lame passwords if given the chance.

    • Re: (Score:2)

      by Junta ( 36770 )

      If they are doing things the FIDO way, the fingerprint is more of a sanity check performed by the device in the hand to see that the user is authorized. I don't know why lastpass would make a big deal about adding those, since all that comes 'for free' if using the standards (if the phone is the authenticator, then *whatever* mechanism the user has elected to unlock the screen is also the mechanism to consent to the phone doing key-based autentication).

      You are not authenticating to the remote site with you

Slashdot Top Deals

Work continues in this area. -- DEC's SPR-Answering-Automaton

Close