An Update to the LastPass Authenticator App

By December 28, 2017 Security News 5 Comments

We wanted to let the LastPass community know about a recent improvement to our LastPass Authenticator app. The app received attention this week for allowing someone to view the TOTP (multi-factor) codes on Android without requiring a fingerprint or PIN.

Strengthening the LastPass Authenticator

The LastPass Authenticator App gives users the option to require a fingerprint and/or PIN to open the app, offering an extra level of security if you were to lose your phone while it was unlocked. LastPass Authenticator is one of the only multi-factor authentication apps to offer this extra protection on iOS and Android.

When a researcher discovered a workaround for the extra the PIN/fingerprint prompt, our engineering team fixed the issue that allowed the workaround and the update is available now. Now when the fingerprint/PIN feature is enabled, users must provide their fingerprint or PIN code in order to view the one-time code.

Using the reported workaround to access someone’s temporary codes would have been difficult since it requires access to the device, and the one-time codes are useless without the username and password for the services they are used. At no time did the identified workaround allow access to the TOTP secrets used to generate the one-time codes.

In summary, Android users should update their LastPass Authenticator to the latest version. If you’ve recently had a phone lost or stolen and need to re-enable multi-factor authentication, follow our recommended steps.

Ensuring Reports Are Escalated Quickly

In addition to strengthening the app, the report highlighted needed improvements to our support process. Because this report did not come through our bug bounty program, proper steps were not taken to escalate and resolve it in a timely manner.

We’ve identified and resolved the procedural issue to ensure future reports are handled correctly. At LastPass, investigating and responding to security reports – and customer concerns in general – is our highest priority and we strive to always improve our internal processes.

Reducing Your Personal Risk Starts with Good Cyber Hygiene

The LastPass community is already very security-conscious, but it’s always helpful to review general best practices for online security and ensure you’re following them:

  • Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
  • Never reuse your LastPass master password and never disclose it to anyone, including us.
  • Use strong, unique passwords for every online account.
  • Two-factor authentication remains the most effective way to protect your account. Always enable 2FA for LastPass and other services like your bank, email, Twitter, Facebook, etc.
  • Keep a clean machine by running antivirus and keeping your software up-to-date.

We fundamentally believe that harnessing our large community of security-conscious individuals, through a well-designed bug bounty program, makes our product better. We will constantly evolve this program, the way we work internally, and how we work our wider talented community, to make security effortless for users.

5 Comments

  • N says:

    It’s worth noting for the record that the bug was first reported to LastPass in June, and they ignored it. They were reminded of it in December, and still ignored it. Finally, it was disclosed publicly at https://hackernoon.com/lastpass-authenticator-app-is-not-secure-77b9743c3007 (which also includes a record of the author’s unsuccessful attempts to get LastPass to fix the bug). Only after that was a patch released. This, I guess, is what the comments about “Ensuring Reports Are Escalated Quickly” are alluding to. But I think it’s important for people to know the details of LastPass’s response so they can judge it for themselves.

    • Leah Bachmann says:

      Thank you for your comment. As we mention in the blog post, we identified where the issue failed to be escalated, and have resolved it. Security always has been and will remain our top priority, and we strive to constantly improve our internal processes.

  • Darren says:

    Lastpass, it was very disconcerting to see that it took over 6 months to respond appropriately to this find. Please don’t lose sight of WHY we choose to use Lastpass. Security.

    • Leah Bachmann says:

      Hi Darren,
      Thank you for your comment. We understand that security is a top priority to you – as it is to us. As we mention in the blog post, we identified where the issue failed to be escalated, and have resolved it. We strive to constantly improve our internal processes.

      Thanks.

  • Dylan says:

    The Authenticator app was not covered under the bug bounty when I reported it in June 2017. However I thank you for the fix.