FireOak Strategies Blog

Insights and articles related to knowledge management, information security, technology, data and analytics, business process automation, platform management, and other related topics, from our experienced team of consultants.

LastPass Authenticator Security Evaluation

March 21, 2016

In March of 2016, LastPass announced the availability of LastPass Authenticator, an app that provides push-based multi-factor authentication (MFA) for users of their password management service.

Information Security

Eric Smith

Eric Smith is the former Chief Technologist and Chief Information Security Officer (CISO) for FireOak Strategies, LLC.

In March of 2016, LastPass announced the availability of LastPass Authenticator, a new smartphone app that provides push-based multi-factor authentication (MFA) for users of their cloud-based password management service.

Multi-factor authentication is an essential component of any robust authentication system, so we were pleased to see that LastPass has made this tool available. Even so, there are several other existing and competing multi-factor authentication systems that are compatible with LastPass, so it is important to understand what the new authenticator tool can do and how it stacks up against its competition.

Compatibility with Google Authenticator

During the device enrollment process, LastPass Authenticator automatically configures a time-based, one-time password (TOTP) implementation that is compatible with Google Authenticator. The changing numeric output of the TOTP implementation can be used in the event that the device which is running LastPass Authenticator has no data access at the time an authentication is needed.

In addition, LastPass Authenticator can be used to scan Google Authenticator QR codes and vice versa. The TOTP implementations are identical, and the Google Authenticator app seems happy to ignore the custom LastPass fields included in the enrollment barcode.

Comparison with Duo Security

LastPass Authenticator bears a striking resemblance to the Duo Security model. Both systems use client-push technology on a smartphone or tablet as the default method for secondary authentication. Unlike Duo, however, the the LastPass Authenticator can’t be deployed in the user-friendly client push mode with other sites or services.

FireOak Strategies Recommendation

While LastPass Authenticator provides convenient multi-factor authentication into LastPass for for individuals and small departments, enterprise clients looking to maintain a unified MFA deployment are urged to continue using Duo to secure their LastPass Enterprise deployments. Duo in particular is highly extensible and can be applied to a whole host of other systems, making it a better fit within a unified, enterprise-wide deployment.

In-depth details of the technical analysis are available in this follow-up post.
Read more about our Information Security program.

From the FireOak Blog

News and insights from the FireOak team about managing, securing, and sharing knowledge

Manipulative by Design: An Introduction to Dark Patterns

FireOak Communications Team

December 8, 2023

Dark patterns are deceptive techniques used in web design and marketing, which are designed to manipulate users into doing things they didn’t intend. Read on to learn more about Confirmshaming, The Roach Motel, and other dark pattern techniques.

Continue Reading → Manipulative by Design: An Introduction to Dark Patterns

FireOak’s Recommended Bitwarden Settings

FireOak Communications Team

August 28, 2023

Bitwarden is a great password management tool. Following are FireOak’s recommended Bitwarden settings, all of which we strongly recommend enabling for enterprise accounts. If possible, configure these organizational policies and settings before deploying for users.

Continue Reading → FireOak’s Recommended Bitwarden Settings

It’s Time to Retire Your File Servers

Abby Clobridge

July 19, 2023

While on-premises file servers (i.e., the S:\ drive) may have been the go-to solution in the past for collaboration, they pose several knowledge management and cybersecurity challenges – as well other operational issues – for organizations. It’s time to retire file servers in favor of more modern technologies.

Continue Reading → It’s Time to Retire Your File Servers