August 2, 2015 at 22:29

Multifactor LastPass



    Relatively recently, LastPass, the developer of the password manager of the same name, had a leak of user data and there was a risk of attackers accessing master passwords (although they were not stolen in the clear). This incident dealt a serious blow to their image, although it is worth recognizing that this could happen to any of their competitors.

    However, LastPass provides its users with the ability to provide additional protection in the form of multi-factor authentication of various types. Using several factors to access saved passwords, you can protect yourself from leakage of master passwords from the developer's server.

    In this article, I would like to describe the configuration and use of multi-factor authentication in LastPass password manager.

    LastPass has different levels of account steepness, and each level allows you to use different methods of multi-factor authentication.

    Free account:
    • Google Authenticator is a software OTP that uses a smartphone.
    • Toopher - PUSH messages on the phone.
    • Duo Security - OTP or PUSH to choose from.
    • Transakt - PUSH messages.
    • Grid - printable sheets with OTP.

    Premium / corporate account. It is inexpensive and at the same time makes it possible to use much more reliable means of authentication:
    • Yubikey is a USB device generating OTP.
    • Sesame - A program that generates OTP.
    • Fingerprint / Smart Card - use a fingerprint or smart card with a user certificate.

    Unfortunately, OTP technology has many known vulnerabilities, especially when a user's phone or smartphone is involved. Duplicated SIM cards, trojans in mobile devices are only the most banal and widespread attacks, not to mention more sophisticated options. You can lose access to codes at the most inconvenient moment, for example, if your phone runs out, breaks or loses its network.

    OTP technology is not in vain gained popularity due to its relative simplicity, but still it can not be called very reliable.

    A much more reliable authentication mechanism is PKI / SmartCard (a public key infrastructure with non-retrievable private keys on smart cards). It is not for nothing that really serious security systems of both state and corporate levels are built on it.

    Therefore, in this article we will consider the use of smart cards and tokens in LastPass, as the most optimal in terms of cost / security / usability, using our smart cards and Rutoken tokens as an example.

    The use of smart cards / tokens is reliable (LastPass requires an RSA2048 certificate issued for the token), convenient (you just need to enter a pin code in the pop-up window), inexpensive ($ 20 for the most sophisticated Rutoken model) and is very affordable and widespread in Russia (moreover , maybe you are already using our token or smart card at your work).

    Undoubtedly, the use of smart cards or tokens will be truly safe only if the cryptographic scheme is correctly implemented.
    Our expert analysis showed that everything is right under the hood — they honestly sign random data with the private key on a secure key carrier.

    Authentication in LastPass with smart cards is very easy to configure. Thanks to our partnership with LastPass, Rutoken tokens and smart cards work with the LastPass password manager on Windows, OS X, and Linux out of the box.

    First of all, if you do not have a RSA2048 certificate on a token, you can get it in the infrastructure of your company, create it for free on one of the relevant Internet resources, write it out yourself or, if you wish, buy it. The security of authorization in LastPass will not be affected. For self-certification, you can use, for example, OpenSSL, the XCA graphics add-in, or, if possible, the Microsoft Certification Authority built into Windows Server. Instructions can be easily found on the Internet.
    Also, certificates can be obtained free of charge on such resources as, for example, Comodo or StartSSL .

    Since LastPass works with tokens and smart cards through PKCS # 11 standard libraries, we will need to get it.
    • Windows users only need to install drivers from our site.
    • For Linux, you need to take the DEB / RPM package from our site and install it. Also, if necessary, using the same link, you can take the library itself and install it yourself in / usr / lib or / usr / lib64 for x86 or x64 versions of the OS, respectively.
    • In OS X, the PKCS # 11 library is installed using the Keychain support module or manually downloaded from our website and placed in / usr / lib.

    Next, to enable multi-factor authentication in LastPass, we’ll go to “LastPass Storage” (“My LastPass Vault”) in “Profile Settings” ...



    ... to the Multifactor options tab.



    We are interested in the bottom block for Premium users.



    Let's go to the Fingerprint / SmartCard authentication settings. If the PKCS # 11 library is installed correctly, we will see a smart card reader in the drop-down list. Select “on - yes” and click on “update”.



    A confirmation of the master password will be requested ...



    ... and the smart card / token pin.



    After which we will receive a message about the successful authentication setup.



    Now, to unlock saved passwords in LastPass, just connect the electronic identifier and enter its PIN code.

    According to the results of the manipulations you get a convenient and, most important, safe multi-platform solution for storing your passwords. No one will be able to use your account without a smart card / token and knowledge of a PIN code.
    Tags:

    Also popular now: