Which 2FA solution to use not that LastPass Authenticator is also compromised
If you very carefully read Lastpass newest security bulletin you notice that LastPass didn't only loose the user password data of the LastPass Password Manager but also of the 2FA seeds of the LastPass Authenticator. In typical LastPass communication style it's barely mentioned in half a sentence.
So if the „threat actor“ manages to brute force the master password he or she will not only have the passwords but the 2FA seeds as well. I wondering about that for a while and now I have certainty.
LastPass Authenticator was a very nice authenticator with sort, favourites, folders and build in backup/sync. The latter of course turned out to be a not so great idea.
Has anybody got any suggestions which authenticator to use to replace LastPass Authenticator with?
1Password Version: N/A
Extension Version: N/A
OS Version: N/A
Browser:_ N/A
Comments
-
What about 1Password? 😉
0 -
However, you might need a third-party tool if you enabled 2FA for your 1Password account…
https://support.1password.com/two-factor-authentication/
I’m using Duo for that, but might switch to 2FAS.
0 -
you might need a third-party tool if you enabled 2FA for your 1Password account
or a hardware security key. 😃 Yubikeys are pretty rad.
Ben
0 -
@krischik I myself use the built in 2FA feature in 1Password. I know it's not 'true 2FA' but the convenience, after @ag_tommy mentioned it to me, is amazing, it fills the 2FA codes in the browser and automatically copies them on mobile for me. Also, I never have to worry about losing my 2FA seeds, as their backed up, with the rest of my vault, so their always there when I setup a new device or would be on my other device, if one stopped working.
0 -
@Kakkoister2 @XIII One of things we can learn from the LastPass disaster is that having passwords and 2FA in the same vault might not be the best idea. It might be a good idea to use two different tools from different companies. At least if you plan to sync your 2FA.
0 -
@krischik I do see what you're saying, but 1Password is far superior to what 'Lastpass' is. I would want you to remember, although having 2FA done by 1Password isn't 'true 2FA' It is still better then not having 2FA. Also, your vault is protected by your account password and secret key. So I myself, have no worry of storing my 2FA seeds in my vault. I would say if you want your 2FA seeds on a separate device, also make sure you back those up, so you never lose them. I would suggest you can save a copy of the 2FA seed in your vault and have it on your other device.
0 -
I would say if you want your 2FA seeds on a separate device, also make sure you back those up, so you never lose them.
Speaking from experience here and losing mine way back in ancient history, this is very sound advise. No matter which option you decide on, please make sure you have a backup plan in place.
0 -
or a hardware security key. 😃 Yubikeys are pretty rad.
Yes they are! I have three and wish more services would support them…
0 -
@ag_tommy Were you ever able to recover the accounts, when you lost the 2FA back then? I have like my email which is a critical account, set up with everything saved in 1Password. With no recovery methods intentionally set. As if it was made easy to recover, then that wouldn't be good.
0 -
I've had 1Password for a number of years and do use 2FA OTP's within 1Password. I used to use Google Authenticator as my 2FA for 1Password, but then realised that (unless I really mess about with cloning seeds onto two devices) if I lose or crash my phone, i've lost my 2FA access to 1Password.
Whilst I'm typically logged in on about 5 devices at once so it's unlikely, I did buy a Yubikey for 1Password for Christmas and that's locked away in my keysafe at home.
0 -
To profit from the integrated OTP generator in 1Password as well as to avoid some circular dependency (1Password OTP saved within 1Password), I have the OTP for 1Password duplicated in an external authenticator app (Microsoft authenticator, because I need it anyway for the push notification for my Microsoft account). That's also cloud-synced within the Microsoft ecosystem, so it's difficult to lose.
You might have not noticed it yet, but it's possible to scan these mfa QR codes into multiple authenticator apps. They will all generate the same code. So I printed the 1Password mfa QR code on paper. To recover my accounts from zero, I get the paper prints of my emergency kit and mfa qr code. On a fresh bought android phone, I login to a temporary freshly created Google account (I don't have any passwords memorized!). Then I download Google Authenticator and scan the 1Password mfa code from paper. Then I download the 1Password app and sign in with the emergency kit info from paper and the OTP from Google Authenticator. Then I'm in and have access to all my credentials. Then I will be able to sign in to my real Google account on my phone. And I will be able to set up any other devices from there.
Saving all of the mfa codes within 1Password, so putting all eggs in the same basket, is a risk I'm going to accept. The risk that my 1Password vaults will be compromised is extremely low (much much lower than the disaster with Lastpass), so I'm choosing convenience over this risk.
0 -
-
No, I just moved on. This was prior to moving to 1Password TOTP. I had my items in another app. WIth everything in 1Password I am much happier. I should clarify 1Password is my recovery method in use.
0 -
@ag_tommy I gotcha, that's unfortunate you weren't able to recover those items. Were these like super important items at the time? For example, you have your email protected with 2FA, and if that is lost, no recovery code, the email is lost. Yes I agree, having the TOTP in 1Password, is one less thing to worry about, the auto backup with the vault, is one of my top favorite features and I never have to worry about carrying around another TOTP app, just go right into 1Password and there it is. I like how you took a bad experience of losing access to your TOTP app to reminding folks, that 1Password offers a TOTP solution, definitely, has been one of my favorite things to learn from you.
0