Make Your LastPass Account Uncrackable: LastPass Adds Support for Google Authenticator

LastPass Google Authenticator two factor authentication

LastPass, our favorite password manager, has just introduced support for two-factor authentication through Google Authenticator. Two-factor authentication is a form of security that requires a user to present a second form of confirmation before being able to log in to an account. We previously wrote about how, for Google accounts, that second form of authentication can come via a one-time code generated by the Authenticator app for iOS, Android, and Blackberry. That same app can now be used with LastPass.

The beauty of two-factor authentication is that your password is useless to a hacker if he doesn’t also have the second form of authentication (in this case, your phone, which is needed to generate the code). Without two-factor authentication, your account would still be susceptible to key loggers or fishing attacks, no matter how complex you’ve made your password. I’ve been using the Yubikey as a second form of authentication for my LastPass account, but that requires the purchase of the Yubikey, and also requires you to carry it around with you. Assuming that you keep your phone with you at all times, there’s almost no reason aside from convenience not to use Authenticator as a second form of authentication if you weren’t already using another two-factor authentication method.

Will support for Authenticator spur you to use two-factor authentication?

Introducing Support for Google Authenticator [LastPass blog]

Evan Kline

Hello, I'm Evan. I write about tech from my perspective – that of the average 40-something tech geek. You can also find me on Twitter and at my real-life job as a lawyer.    MORE ABOUT ME.

4 Comments:

  1. Hmm. This sounds interesting. It sounded a bit too complex with yubi key, but this is simple enough.

    Has anyone else had some trouble with last pass since the iOS5 update? The last pass browser crashes on the iPad. Tech support say they are working on it.

    And slightly off topic, somebody was speculating on the nuke option (as in jobs’ thermonuclear war comment) saying that apple might ban all google apps from their closed system? Think there is a chance of that, and if so, what happens to apps like authenticator?

    • I haven’t used the LastPass browser in a while, Rick. I have used the bookmarklet, however.

      Regarding the nuclear option, I would like to think that even Apple couldn’t take the PR hit from an anti-competitive move like that. I look back to all the flack from their denial of the Google Voice app, and the fact that they relented on that. I know Steve Jobs had a bug up his ass for Google, but hopefully cooler heads realize it might do more harm than good. I think a more likely occurrence would be Apple coming up with replacements (such as changing Siri to pull from Bing), but allowing consumers to continue to use Google apps.

  2. I’m trying to understand how much additional security this adds after the encrypted password file is loaded on my computer. It seems like the main benefit of this approach is to thwart key loggers, but if I get some malware on my system that can do key logging then it can also send the encrypted password file of to some hacker.

    So in this case the hacker would know your master password and has your encrypted password file, but the 6 digit number from the Authenticator only increases the number of combinations by 1 million. With the master password and the password file in hand a brute force attack could try 1 million combinations in a matter of minutes, at least based on my very rudimentary understanding of how this works. :)

    I guess my question is whether this approach really only adds security to the web log on, or it significantly increase the security of a direct attack on the encrypted password file? Currently I use 1Password with a purely local password file (although I’m looking at cloud backup options), and I’m wondering if this really enhances my security.

    • I’m sure you’re probably safer just using a local file. If someone has total control of your system, then I imagine that they could wait until you open your password database to grab the data. I did eyeball Authentictor, and the 6 digit number resets after approximately 30 seconds. So I think that would take some serious computing power to crack that along with a long master password in 30 seconds. It would be nice if Google would add some letters and symbols, and maybe an extra digit or two, into Authenticator.

      1Password uses PBKDF2, and LastPass was in the process of implementing it several months ago, to supposedly render brute force attacks ineffective by forcing pauses in brute force attempts. I don’t know enough about PNKDF2 to know if it truly neuters brute force attacks. If it does, then the real risk would be in the entry and transmission of the password, which Authenticator takes care of. That’s a big “if,” though.

Leave a Reply