LastPass No Longer Requires a Password To Access Your Vault (engadget.com) 29
LastPass says they're now the first password manager with a passwordless sign-in feature. Engadget reports: Grant permission through the LastPass Authenticator mobile app and you can update account info on the web without entering your master password. The approach relies on FIDO-compliant password-free technology. The feature is available to both personal and business users. LastPass is also promising options beyond the Authenticator app in the future, such as relying on biometric scans or hardware security keys.
Wonderful /sarcasm (Score:4, Insightful)
Grant permission through the LastPass Authenticator mobile app and you can update account info on the web without entering your master password.
And then your phone dies or gets lost/stolen ...
LastPass is also promising options beyond the Authenticator app in the future, such as relying on biometric scans or hardware security keys.
And then your face or fingerprint unlocks *all* your accounts.
Re: Wonderful /sarcasm (Score:1)
Re:Wonderful /sarcasm (Score:5, Insightful)
No, he thinks he's pointing something excessively obvious, something that "we're first, it's shiny" lastpass advertisement appears to utterly miss. That this is an utterly insecure thing that no one should lock all of their passwords behind.
Re: (Score:3)
... this is an utterly insecure thing that no one should lock all of their passwords behind.
Damn straight. KeePass database stored where convenient with a key file kept on your person. Why complicate things with fancy, hack-worthy bullshit?
Re:Wonderful /sarcasm (Score:4, Informative)
Because passwords stored that way are prone to phishing. If you fail to notice that you are on a phishing site and enter your password, you just gave the attacker access to your account.
With passwordless login the authentication is tied to the domain making the request. There is no way for a phishing site with a different domain to request the authentication details for the legitimate site, so phishing attacks are basically dead.
Re: (Score:2)
... There is no way for a phishing site with a different domain to request the authentication details for the legitimate site, so phishing attacks are basically dead.
How can another domain make a request when you're running NoScript?
Re: (Score:2)
With passwordless login the authentication is tied to the domain making the request. There is no way for a phishing site with a different domain to request the authentication details for the legitimate site, so phishing attacks are basically dead.
But, since absolutely no FIDO2 keys seem to have any way whatsoever of telling you what site/resource you are about to approve a login to, you have no idea if your fingerprint is being used to unlock just your zappos store account, or a request to access your master keyshare on lastpass launched from a javascript some site managed to trick your browser into running on the browser tab you have open on lastpass.
Some keys do seem to have LCD screens but it appears they are only for time-based OTP outputs.
Re: (Score:2)
Quote from the article, so no - in the end you won't have a master password:
> LastPass is committed to providing customers with a simple, passwordless future with the end goal of completely removing the need for a master password.
Re: (Score:2)
They already had hardware keys...for paying customers.
Re: (Score:3)
It's progress for the sake of progress, mate. If any of Lastpass engineers had doubts about it, I'm sure they were quickly shut down by their incompetent product or marketing managers.
xkcd still applies (Score:4, Funny)
https://xkcd.com/538/ [xkcd.com]
first for a very specific defnition of first (Score:3)
I sign into bitwarden on my phone with biometrics all the time and have done for months.
Lastpass might well be the first to link web-login to the app biometric login though, which is a nice step.
Of course, most of this passwordless stuff is BS ... for most of them you still fall back on a password as soon as the new-shiny-passwordless-login-option fails or isn't available for some reason, in which case its not more secure than a password because its STILL secured by a password, and now you have another way TOO.
You can't make system more secure than the weakest link by adding other links.
Re: (Score:2)
You can't make system more secure than the weakest link by adding other links.
Every time you use your password somewhere there's a risk you're entering it into a phishing login prompt.
Every computer that you type your password into is a computer that might have a keylogger installed on harvesting credentials.
Every server that stores a password is a server that might not have salted their database properly and could be theoretically brute forced.
Re: (Score:2)
My phone where I run the app could be hacked too. There is no perfect solution.
Re: (Score:3)
"Every time you use your password somewhere there's a risk you're entering it into a phishing login prompt."
2FA proxying is a thing. They send you to a fake lastpass login, you click "passwordless login baby!" they proxy that request over to the real lastpass, your phone beeps, you authenticate, and the bad actors are in.
Or the phishing page says... hey... oops there was an error. Something isn't working. We need to fall back to the recovery password, or we need to confirm your password, or whatever, and th
Re: (Score:2)
2FA proxying is easy to defeat though. If you use a security key it can simply check the URL making the request, and the browser will always send the top level iFrame one so they can't fool it that way.
Google pops up a prompt on your phone, which again cannot be created by any website other than Google.
Re: (Score:2)
"2FA proxying is easy to defeat though. If you use a security key it can simply check the URL making the request, and the browser will always send the top level iFrame one so they can't fool it that way."
You can beat a security key if you can get a fake cert the client trusts. Like it would be pretty easy if you can compromis a corporate cert -- where all the employee machines trust it it. Then you can phish corporate employees e.g. google accounts even if they have security keys on them.
But I agree, a gett
Re: (Score:2)
This is the exact problem FIDO2 attempts to solve. Passwords can be phished, so they don't want you to enter passwords anywhere. Instead, you use a public/private key pair based login. If a phishing attack manages to steal your PIN/fingerprint/etc, it doesn't do them any good unless they also steal (or remotely control) your device(s) too.
Authenticator app (Score:1)
Faster to type password (Score:3, Informative)
1password (Score:2)
Biometrics are a horrible authentication factor (Score:5, Insightful)
The problem with biometrics is that you can't change them. Say your password leaks. No problem - you can change it within minutes. The same does not apply to biometrics - you can't replace your papillary lines, irises or a facial pattern. Once your biometrics leak from any system, you're screwed - the thieves can now impersonate you with 100% accuracy every time from now on.
Or say you have an accident that changes one of your biometrics - you're fked too.
Meanwhile, the article states that LastPass wants to move away from a master password altogether and rely on bio alone.
https://www.csoonline.com/arti... [csoonline.com]
Re: (Score:2)
That's why you never use your biometrics as the key. At most, you use them to quickly unlock the key after you already authenticated using a good password.
Maybe you have a different threat model, and that's fine. Don't use biometrics at all. But for 99% of people they make them more secure, not less. 99% of people re-use the same lame passwords if given the chance.
Re: (Score:2)
If they are doing things the FIDO way, the fingerprint is more of a sanity check performed by the device in the hand to see that the user is authorized. I don't know why lastpass would make a big deal about adding those, since all that comes 'for free' if using the standards (if the phone is the authenticator, then *whatever* mechanism the user has elected to unlock the screen is also the mechanism to consent to the phone doing key-based autentication).
You are not authenticating to the remote site with you