FireOak Strategies Blog

Insights and articles related to knowledge management, information security, technology, data and analytics, business process automation, platform management, and other related topics, from our experienced team of consultants.

< Back to FireOak Blog

LastPass Authenticator Security Evaluation

March 21, 2016

In March of 2016, LastPass announced the availability of LastPass Authenticator, an app that provides push-based multi-factor authentication (MFA) for users of their password management service.

Information Security

Eric Smith

Eric Smith is the Chief Technologist and Chief Information Security Officer (CISO) for FireOak Strategies, LLC. You can reach Eric at [email protected] or follow him on Twitter at @FireOakCISO.

In March of 2016, LastPass announced the availability of LastPass Authenticator, a new smartphone app that provides push-based multi-factor authentication (MFA) for users of their cloud-based password management service.

Multi-factor authentication is an essential component of any robust authentication system, so we were pleased to see that LastPass has made this tool available. Even so, there are several other existing and competing multi-factor authentication systems that are compatible with LastPass, so it is important to understand what the new authenticator tool can do and how it stacks up against its competition.

Compatibility with Google Authenticator

During the device enrollment process, LastPass Authenticator automatically configures a time-based, one-time password (TOTP) implementation that is compatible with Google Authenticator. The changing numeric output of the TOTP implementation can be used in the event that the device which is running LastPass Authenticator has no data access at the time an authentication is needed.

In addition, LastPass Authenticator can be used to scan Google Authenticator QR codes and vice versa. The TOTP implementations are identical, and the Google Authenticator app seems happy to ignore the custom LastPass fields included in the enrollment barcode.

Comparison with Duo Security

LastPass Authenticator bears a striking resemblance to the Duo Security model. Both systems use client-push technology on a smartphone or tablet as the default method for secondary authentication. Unlike Duo, however, the the LastPass Authenticator can’t be deployed in the user-friendly client push mode with other sites or services.

FireOak Strategies Recommendation

While LastPass Authenticator provides convenient multi-factor authentication into LastPass for for individuals and small departments, enterprise clients looking to maintain a unified MFA deployment are urged to continue using Duo to secure their LastPass Enterprise deployments. Duo in particular is highly extensible and can be applied to a whole host of other systems, making it a better fit within a unified, enterprise-wide deployment.

In-depth details of the technical analysis are available in this follow-up post.
Read more about our Information Security program.

FireOak Strategies is a boutique consulting firm that helps organizations manage, secure, and share their knowledge. We bring clarity to complexity, look for elegant and simple solutions, and make sure that organizations are focused on solving the right problems. Learn more…

Manage, secure, and share your organizational knowledge

Browse articles by topic:

More from the FireOak team about managing, securing, and sharing knowledge

The Importance of Cloud to Cloud Backups

Abby Clobridge

April 28, 2023

5 reasons why you should use cloud-to-cloud backups to protect your data stored in cloud platforms.

Continue Reading The Importance of Cloud to Cloud Backups

Ten Ways to Use an Intranet to Build Community, Connections, and Engagement

Kelly LeBlanc

April 20, 2023

Ten tips for using your organizational intranet to build community and connections among staff, while also fostering employee engagement.

Continue Reading Ten Ways to Use an Intranet to Build Community, Connections, and Engagement

FireOak Receives National Women’s Business Enterprise Certification

FireOak Communications Team

March 24, 2023

FireOak Strategies receives the prestigious National Women’s Business Enterprise Certification from WBENC.

Continue Reading FireOak Receives National Women’s Business Enterprise Certification

6 Reasons Why Most Organizations Should Invest in an Intranet

Abby Clobridge

March 23, 2023

In today’s digital workplace, all organizations with more than a handful of employees should have an intranet. Here are six key reasons why your organization should invest in an intranet.

Continue Reading 6 Reasons Why Most Organizations Should Invest in an Intranet

New Article Series — Building and Maintaining a Modern Intranet

Abby Clobridge

February 23, 2023

Introducing FireOak’s new series all about modern intranets — with tips and tricks, best practices, actionable insights, and more.

Continue Reading New Article Series — Building and Maintaining a Modern Intranet

Building a Modern Intranet

Abby Clobridge

February 17, 2023

A well-designed, modern intranet can be a key component of a successful knowledge management strategy. A modern intranet should make it easier for staff to do their jobs, find what they’re looking for, collaborate with each other, and stay connected to the organization.

Continue Reading Building a Modern Intranet