We wanted to let the LastPass community know about a recent improvement to our LastPass Authenticator app. The app received attention this week for allowing someone to view the TOTP (multi-factor) codes on Android without requiring a fingerprint or PIN.
Strengthening the LastPass Authenticator
The LastPass Authenticator App gives users the option to require a fingerprint and/or PIN to open the app, offering an extra level of security if you were to lose your phone while it was unlocked. LastPass Authenticator is one of the only multi-factor authentication apps to offer this extra protection on iOS and Android.
When a researcher discovered a workaround for the extra the PIN/fingerprint prompt, our engineering team fixed the issue that allowed the workaround and the update is available now. Now when the fingerprint/PIN feature is enabled, users must provide their fingerprint or PIN code in order to view the one-time code.
Using the reported workaround to access someone’s temporary codes would have been difficult since it requires access to the device, and the one-time codes are useless without the username and password for the services they are used. At no time did the identified workaround allow access to the TOTP secrets used to generate the one-time codes.
In summary, Android users should update their LastPass Authenticator to the latest version. If you’ve recently had a phone lost or stolen and need to re-enable multi-factor authentication, follow our recommended steps.
Ensuring Reports Are Escalated Quickly
In addition to strengthening the app, the report highlighted needed improvements to our support process. Because this report did not come through our bug bounty program, proper steps were not taken to escalate and resolve it in a timely manner.
We’ve identified and resolved the procedural issue to ensure future reports are handled correctly. At LastPass, investigating and responding to security reports – and customer concerns in general – is our highest priority and we strive to always improve our internal processes.
Reducing Your Personal Risk Starts with Good Cyber Hygiene
The LastPass community is already very security-conscious, but it’s always helpful to review general best practices for online security and ensure you’re following them:
- Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
- Never reuse your LastPass master password and never disclose it to anyone, including us.
- Use strong, unique passwords for every online account.
- Two-factor authentication remains the most effective way to protect your account. Always enable 2FA for LastPass and other services like your bank, email, Twitter, Facebook, etc.
- Keep a clean machine by running antivirus and keeping your software up-to-date.
We fundamentally believe that harnessing our large community of security-conscious individuals, through a well-designed bug bounty program, makes our product better. We will constantly evolve this program, the way we work internally, and how we work our wider talented community, to make security effortless for users.