Print

Print


LastPass supports multifactor authentication with Duo Security
<https://www.duosecurity.com/> , as seen on their two-factor authentication
page, https://helpdesk.lastpass.com/multifactor-authentication-options.  Duo
Security is one of the methods weıve been testing for use on PeopleSoft
two-factor, and it works nicely.  You can setup Push, SMS, or land-line
options so you donıt always need your mobile phone to make it work.  See
https://helpdesk.lastpass.com/multifactor-authentication-options/duo-securit
y.

The technical details about just how/when LastPass performs two-factor are a
little lacking, but I did find this in the FAQ
(https://lastpass.com/support.php?cmd=showfaq&id=1826):
> How does LastPass securely identify a trusted computer?
> When you check the option to mark a device as "trusted", we create a random,
> unique identifier for that device. We then encrypt that ID using Windows
> "crypt protect data" functions, which encrypt the ID based on the user's
> credentials. This ensures that another user would not be able to decrypt it.
> We then store the encrypted ID on the hard drive, and store a hash of the ID
> on our server in a database. This is passed back after the user tried to login
> - the hash is compared with the hash of the ID after it has been decrypted
> (after the user enters their email address + master password). If they match,
> LastPass then skips the prompt for a multifactor authentication and logs in
> the user. 
> 
> For mobile devices, LastPass uses a randomly generated id that is stored in
> secure phone storage.

From that I surmise that you only need to go through the two-factor process
once per browser to make it a trusted device, although the above sounds like
(on Windows computers anyway) it doesnıt matter which browser you use.  Not
sure how thatıd correlate on a Mac, but I imaging a similar method is used.
Itıs also possible that youıd only need to go through the two-factor when
you enter your master password to unlock your vault.  I was going to set it
up on mine and I can report back later.

--Joe.

-- 
Joe Parent
ETS Client Services, UVM
http://www.uvm.edu/it/


From:  Andrew Hendrickson <[log in to unmask]>
Reply-To:  Technology Discussion at UVM <[log in to unmask]>
Date:  Tuesday, June 16, 2015 at 11:23 AM
To:  Technology Discussion at UVM <[log in to unmask]>
Subject:  Re: LastPass was breached

> So, which of the lengthy list of two part authentication methods do people
> recommend?
> 
> I have little experience but would like something that wonıt hit me up for
> every login, only if something changes (unfamiliar device, remote IP).
> 
> I donıt have cell service at home, so having to use the phone to authenticate
> every time is going to be an issue.  Unless that authentication also works
> over wifi under iOS?
> 
> AEH
> 
>>  On Jun 16, 2015, at 8:12 AM, Geoffrey Duke <[log in to unmask]> wrote:
>>  
>>  Analysis from Ars Technica:
>>  
>>  Hack of cloud-based LastPass exposes hashed master passwords
>>  Users: Change your master password and enable 2-factor authentication
>> immediately.
>>  
>>  ... Ars resident password expert Jeremi Gosney said the real-world risks the
>> breach posed to end users was minimal. He based his assessment on the
>> LastPass response to the breach and the system that was in place when it
>> happened.
>>  
>>  Full article: 
>> http://arstechnica.com/security/2015/06/hack-of-cloud-based-lastpass-exposes-
>> encrypted-master-passwords/
>>  
>>  --Geoff
>>  
>>  
>>>  -----Original Message-----
>>>  From: Technology Discussion at UVM [mailto:[log in to unmask]] On
>>>  Behalf Of Jacob Beauregard
>>>  Sent: Monday, June 15, 2015 7:07 PM
>>>  To: [log in to unmask]
>>>  Subject: LastPass was breached
>>>  
>>>  "We want to notify our community that on Friday, our team discovered and
>>>  blocked suspicious activity on our network. In our investigation, we
>>>  have found no evidence that encrypted user vault data was taken, nor
>>>  that LastPass user accounts were accessed. The investigation has shown,
>>>  however, that LastPass account email addresses, password reminders,
>>>  server per user salts, and authentication hashes were compromised."
>>>  
>>>  https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
> 
> Andrew Hendrickson
> CAS IT Administrator
> UVM, College of Arts & Sciences
> 
> 802-656-7971
> 
> [log in to unmask]
> 
> To submit a request for service please use:
> http://footprints.uvm.edu/ashelp.html
>