Print

Print


LastPass supports multifactor authentication with Duo Security, as seen on their two-factor authentication page, https://helpdesk.lastpass.com/multifactor-authentication-options.  Duo Security is one of the methods we’ve been testing for use on PeopleSoft two-factor, and it works nicely.  You can setup Push, SMS, or land-line options so you don’t always need your mobile phone to make it work.  See https://helpdesk.lastpass.com/multifactor-authentication-options/duo-security.

The technical details about just how/when LastPass performs two-factor are a little lacking, but I did find this in the FAQ (https://lastpass.com/support.php?cmd=showfaq&id=1826):

How does LastPass securely identify a trusted computer?

When you check the option to mark a device as "trusted", we create a random, unique identifier for that device. We then encrypt that ID using Windows "crypt protect data" functions, which encrypt the ID based on the user's credentials. This ensures that another user would not be able to decrypt it. We then store the encrypted ID on the hard drive, and store a hash of the ID on our server in a database. This is passed back after the user tried to login - the hash is compared with the hash of the ID after it has been decrypted (after the user enters their email address + master password). If they match, LastPass then skips the prompt for a multifactor authentication and logs in the user. 

For mobile devices, LastPass uses a randomly generated id that is stored in secure phone storage.

From that I surmise that you only need to go through the two-factor process once per browser to make it a trusted device, although the above sounds like (on Windows computers anyway) it doesn’t matter which browser you use.  Not sure how that’d correlate on a Mac, but I imaging a similar method is used.  It’s also possible that you’d only need to go through the two-factor when you enter your master password to unlock your vault.  I was going to set it up on mine and I can report back later.

--Joe.

-- 
Joe Parent
ETS Client Services, UVM
http://www.uvm.edu/it/


From: Andrew Hendrickson <[log in to unmask]>
Reply-To: Technology Discussion at UVM <[log in to unmask]>
Date: Tuesday, June 16, 2015 at 11:23 AM
To: Technology Discussion at UVM <[log in to unmask]>
Subject: Re: LastPass was breached

So, which of the lengthy list of two part authentication methods do people recommend?

I have little experience but would like something that won’t hit me up for every login, only if something changes (unfamiliar device, remote IP).

I don’t have cell service at home, so having to use the phone to authenticate every time is going to be an issue.  Unless that authentication also works over wifi under iOS?

AEH

On Jun 16, 2015, at 8:12 AM, Geoffrey Duke <[log in to unmask]> wrote:
Analysis from Ars Technica:
Hack of cloud-based LastPass exposes hashed master passwords
Users: Change your master password and enable 2-factor authentication immediately.
... Ars resident password expert Jeremi Gosney said the real-world risks the breach posed to end users was minimal. He based his assessment on the LastPass response to the breach and the system that was in place when it happened.
--Geoff
-----Original Message-----
From: Technology Discussion at UVM [mailto:[log in to unmask]] On
Behalf Of Jacob Beauregard
Sent: Monday, June 15, 2015 7:07 PM
Subject: LastPass was breached
"We want to notify our community that on Friday, our team discovered and
blocked suspicious activity on our network. In our investigation, we
have found no evidence that encrypted user vault data was taken, nor
that LastPass user accounts were accessed. The investigation has shown,
however, that LastPass account email addresses, password reminders,
server per user salts, and authentication hashes were compromised."

Andrew Hendrickson
CAS IT Administrator
UVM, College of Arts & Sciences

802-656-7971

[log in to unmask]

To submit a request for service please use:
http://footprints.uvm.edu/ashelp.html