Multifactorial LastPass

Relatively recently, LastPass, a developer of the password manager of the same name, had a user data leak and had the danger of intruders accessing master passwords (although they were not stolen in the clear). This incident dealt a serious blow to their image, although it must be admitted that this could have happened to any of their competitors.

However, LastPass provides its users with the opportunity to provide additional protection in the form of multi-factor authentication of various types. Using several factors to access stored passwords, you can protect yourself against master password leaks from the developer’s server.
')
In this article, I would like to describe the configuration and use of multifactor authentication in the LastPass password manager.

LastPass has different levels of account steepness, and each level allows you to use different methods of multi-factor authentication.

Free account:

• Google Authenticator is a software OTP that uses a smartphone.
• Toopher - PUSH messages to the phone.
• Duo Security - OTP or PUSH to choose from.
• Transakt - push messages.
• Grid - printable sheets with OTP.

Premium / corporate account. It is inexpensive and at the same time makes it possible to use much more reliable means of authentication:

• Yubikey - USB device that generates OTP.
• Sesame - A program that generates OTP.
• Fingerprint / Smart Card - use a fingerprint or a smart card with a user certificate.

Unfortunately, OTP technology has many known vulnerabilities, especially when a user's phone or smartphone is involved. Duplicated sims, trojans in mobile devices are only the most commonplace and widespread attacks, not to mention more sophisticated options. You can lose access to the codes at the most inconvenient moment, for example, if your phone is discharged, broken or lost the network.

OTP technology is not for nothing gained popularity due to its relative simplicity, but still you can not call it very reliable.

A much more reliable authentication mechanism is PKI / SmartCard technology (public key infrastructure with non-recoverable private keys on smart cards). Not for nothing is it built on really serious security systems at both the state and corporate levels.

Therefore, in this article we will consider the use of smart cards and tokens in LastPass, as the most optimal in terms of cost / safety / usability, for example, our smart cards and Rutoken tokens.

The use of smart cards / tokens is reliable (LastPass requires RSA2048 certificate issued to the token), it is convenient (you only need to enter the pin code in the pop-up window), is inexpensive ($ 20 for the most advanced Rutoken model) and is very accessible and common in Russia perhaps you are already using our token or smart card at your place of work).

Undoubtedly, the use of smart cards or tokens will be truly safe only if the cryptographic scheme is correctly implemented.
Our expert analysis showed that they are “under the hood” all right - they honestly sign random data with a private key on a protected key carrier.

LastPass smart card authentication is very easy to set up. Thanks to our cooperation with LastPass, Rutoken tokens and smart cards work with LastPass Password Manager on Windows, OS X, and Linux out of the box.

First of all, if you do not have an RSA2048 certificate on a token, you can get it in the infrastructure of your company, create it for free at one of the relevant Internet resources, write it yourself or buy it if you wish. LastPass authorization security will not be affected. For self-issuing a certificate, you can use, for example, OpenSSL, a graphical XCA add-in, or, if possible, the Microsoft Certification Authority built into Windows Server. Instructions can be easily found on the Internet.
Certificates can also be obtained free of charge on such resources as, for example, Comodo or StartSSL .

Since LastPass works with tokens and smart cards through the PKCS # 11 standard libraries, we will need to acquire it.

• Windows users simply install drivers from our site.
• For Linux, you need to take the package DEB / RPM from our site and install it. Also, if necessary, by the same link, you can take the library itself and install it yourself in / usr / lib or / usr / lib64 for the x86 or x64 versions of the OS, respectively.
• In OS X, the PKCS # 11 library is installed using the “Keychain Support ” module or manually downloaded from our website and placed in / usr / lib.

Next, to enable multifactor authentication in LastPass, go to “LastPass Vault” (“My LastPass Vault”) in “Profile Settings” ...



... to the Multifactor options tab.



We are interested in the lower block for Premium users.



Go to the Fingerprint / SmartCard authentication settings. If the PKCS # 11 library is installed correctly, we will see a smart card reader in the drop-down list. Select “enabled - yes” and click on “update”.



Master password confirmation will be requested ...



... and the pin code of the smart card / token.



After that we will receive a message about successful authentication setup.



Now, to unlock the saved passwords in LastPass, all you need to do is plug in the email ID and enter its PIN code.

As a result of the manipulations you get, you get a convenient and, most importantly, secure multiplatform solution for storing your passwords. No one will be able to use your account without a smart card / token and knowledge of a pin code.