FireOak Strategies Blog

Insights and articles related to knowledge management, information security, technology, data and analytics, business process automation, platform management, and other related topics, from our experienced team of consultants.

LastPass Authenticator Security Review: Part 1

March 21, 2016

We took an in-depth look at the architecture, communications, and security of the LastPass Authenticator app in our lab in order to better understand the technology being used and whether or not the security is adequate for protecting a high-value asset such as LastPass.

Information Security

Eric Smith

Eric Smith is the former Chief Technologist and Chief Information Security Officer (CISO) for FireOak Strategies, LLC.

Recommendation: Use LastPass Authenticator for personal and premium accounts, but stick with Duo or YubiKey for MFA with LastPass Enterprise.

In March of 2016, LastPass announced the availability of LastPass Authenticator, a smartphone app that provides push-based multi-factor authentication (MFA) for users of their cloud-based password management service. In this post, we’ll take an in-depth look at the architecture, communications, and security of the LastPass Authenticator app. For this examination, we studied the behavior of LastPass Authenticator as installed on an Apple iPhone 5S. We’ve looked at the enrollment and authentication processes in detail in our lab in order to better understand the technology being used and whether or not the security is adequate for protecting a high-value asset such as LastPass. Protocol analysis and TLS decryption was performed using MITM proxy, along with a number of other packet sniffing and analysis tools.

LastPass Authenticator Setup Process

After installing the LastPass Authenticator app, users must associate their device with their LastPass account. This is accomplished by logging into the LastPass account on a workstation, then accessing the “Multifactor Options” found under the LastPass Vault > Account Settings menu. After clicking to enable LastPass Authenticator, the user is presented with a QR code to scan using their device’s camera. Once scanned, the LastPass Authenticator app is then associated with the user’s LastPass account and will be used to verify all future logins.

The QR code, and decoded data which it contains, are shown below.

The QR code contains a time-based one-time password secret key (TOTP) in the standard URI format as defined by Google in their GitHub project documentation.

otpauth://totp/LogMeIn%20Accounts%3A%20ejsmith%40fireoakstrategies.com?secret= I4PVS3MKRU6N43N6STCAHNAK5WWZIGVQ&issuer= LastPass&lmirequesttoken= 01_vGIxL2X2bI4YIC4M YAy7tDHfBSsnGPpSM8XqtQiyMNeRMrOzNuoLvQkH65 HPplVV&lmiversion=1

In addition to the required account identifier and a BASE32-encoded 160-bit secret symmetric key, the LastPass QR code contains a few additional fields, including “Imirequesttoken” and “Imiversion”. In the QR code examined for this report, these values were as follows:

lmirequesttoken=01_vGIxL2X2bI4YIC4MYAy7tDHfBSsnGPpSM8XqtQiyMNeRMrOzNuoLvQkH65HPplVV
 lmiversion=1

The presence of mixed-case text in the “Imirequesttoken” value suggests a BASE64 encoding scheme in the portion of the text following the underscore. The 64 ASCII characters likely represent an encoded 384-bit key, which at first observations appears to be random, or at least has no obvious internal structure.

00000000: bc62 312f 65f6 6c8e 1820 2e0c 600c bbb4 .b1/e.l.. ..`...
 00000010: 31df 052b 2718 fa52 33c5 eab5 08b2 30d7 1..+'..R3.....0.
 00000020: 9132 b3b3 36ea 0bbd 0907 eb91 cfa6 5555 .2..6.........UU

When this QR code is scanned by the LastPass Authenticator App using the device’s camera, the code is decoded, the data is extracted, and a TLS connection with https://accounts.logme.in is established as follows:

https://accounts.logme.in/authentication/api/v1/authentication.svc/RegisterDevice

The following data is posted to the “RegisterDevice” service in JSON format:

{
 "deviceName": "Eric's iPhone",
 "deviceType": "ios",
 "notificationId": "ebc98c44a94d12e5049d22bc62d2c7e27ada263b5f23f930e364f548a117face",
 "appType": "lastpass",
 "requestToken": "01_vGIxL2X2bI4YIC4MYAy7tDHfBSsnGPpSM8XqtQiyMNeRMrOzNuoLvQkH65HPplVV"
 }

The TLS connection itself is negotiated using TLS 1.2, using a high-quality cipher suite (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) which provides perfect forward secrecy using elliptic curve Diffie-Hellman negotiated keys.

The “requestToken” sent to the remote host is the same that was included in the QR code. This token is used, as the name suggests, to maintain session state across two physically separate devices. The use of this token permits the LastPass system to pair the device with the user’s LastPass account.

The LastPass registration server responds with two new parameters, which are then stored on the local device by the LastPass Authenticator App.

{
 "RegisterDeviceResult": {
 "deviceId": "5a42c41d-1b8a-48cb-a469-d540ceb4bfbd",
 "deviceSecret": "lUDUbcnbUSuxGWFVPAKdmfTGP5nsVBuN4NjDr6pcoY5oI9MfgevrP4aB8svEG2Xo" }
 }

A new TLS connection is then established, this time to the “AttachUser” service, which sends a message combining the “requestToken” from the QR code with the “deviceID” and “deviceSecret” that were learned during the “RegisterDevice” process. This serves to further link the physical device — the smartphone or tablet — to the LastPass account.

{
 "deviceId": "5a42c41d-1b8a-48cb-a469-d540ceb4bfbd",
 "deviceSecret": "lUDUbcnbUSuxGWFVPAKdmfTGP5nsVBuN4NjDr6pcoY5oI9MfgevrP4aB8svEG2Xo",
 "requestToken": "01_vGIxL2X2bI4YIC4MYAy7tDHfBSsnGPpSM8XqtQiyMNeRMrOzNuoLvQkH65HPplVV"
 }

This is confirmed by the response from the LastPass servers which includes the user’s email address — something we had not seen in any previous transmissions.

{
 "GetRequestInfoResult": {
 "requestId": "71UKK",
 "requestTime": 1458428374,
 "requestTimeout": 90,
 "serverTime": 1458428387,
 "userEmail": "[email protected]",
 "userId": "4fab24b8-a3a4-4f6d-a6d5-09a98cd29079"
 }
 }

The LastPass Authenticator app is now configured, linked with the user’s LastPass account, and ready to process login authentication requests.

Note: this article is part one of a two-part series. Continue reading for part 2

Read Part 2 of the LastPass Security Review

From the FireOak Blog

News and insights from the FireOak team about managing, securing, and sharing knowledge

Manipulative by Design: An Introduction to Dark Patterns

FireOak Communications Team

December 8, 2023

Dark patterns are deceptive techniques used in web design and marketing, which are designed to manipulate users into doing things they didn’t intend. Read on to learn more about Confirmshaming, The Roach Motel, and other dark pattern techniques.

Continue Reading → Manipulative by Design: An Introduction to Dark Patterns

FireOak’s Recommended Bitwarden Settings

FireOak Communications Team

August 28, 2023

Bitwarden is a great password management tool. Following are FireOak’s recommended Bitwarden settings, all of which we strongly recommend enabling for enterprise accounts. If possible, configure these organizational policies and settings before deploying for users.

Continue Reading → FireOak’s Recommended Bitwarden Settings

It’s Time to Retire Your File Servers

Abby Clobridge

July 19, 2023

While on-premises file servers (i.e., the S:\ drive) may have been the go-to solution in the past for collaboration, they pose several knowledge management and cybersecurity challenges – as well other operational issues – for organizations. It’s time to retire file servers in favor of more modern technologies.

Continue Reading → It’s Time to Retire Your File Servers