LastPass Authenticator Security Evaluation
Recommendation: Use LastPass Authenticator for personal and premium accounts, but stick with Duo or YubiKey for MFA with LastPass Enterprise.
In March of 2016, LastPass announced the availability of LastPass Authenticator, a smartphone app that provides push-based multi-factor authentication (MFA) for users of their cloud-based password management service.
Multi-factor authentication is an essential component of any robust authentication system, so we were pleased to see that LastPass has made this tool available. Even so, there are several other existing and competing multi-factor authentication systems that are compatible with LastPass, so it is important to understand what the new LastPass Authenticator can do and how it stacks up against its competition.
Compatibility with Google Authenticator
During the device enrollment process, LastPass Authenticator automatically configures a time-based, one-time password (TOTP) implementation that is compatible with Google Authenticator. The changing numeric output of the TOTP implementation can be used in the event that the device which is running LastPass Authenticator has no data access at the time an authentication is needed.
In addition, LastPass Authenticator can be used to scan Google Authenticator QR codes and vice versa. The TOTP implementations are identical, and the Google Authenticator app seems happy to ignore the custom LastPass fields included in the enrollment barcode.
Comparison with Duo Security
LastPass Authenticator bears a striking resemblance to the Duo Security model. Both systems use client-push technology on a smartphone or tablet as the default method for secondary authentication. Unlike Duo, however, LastPass Authenticator can’t be deployed in the user-friendly client push mode with other sites or services.
FireOak Strategies Recommendation
While LastPass Authenticator provides convenient multi-factor authentication into LastPass for for individuals and small departments, enterprise clients looking to maintain a unified MFA deployment are urged to continue using Duo to secure their LastPass Enterprise deployments. Duo in particular is highly extensible and can be applied to a whole host of other systems, making it a better fit within a unified, enterprise-wide deployment.
In-depth details of the technical analysis are available in this follow-up post.