LastPass Authenticator Security Review: Part 1

LastPass Authenticator: Technical Analysis

Recommendation: Use LastPass Authenticator for personal and premium accounts, but stick with Duo or YubiKey for MFA with LastPass Enterprise. 

In March of 2016, LastPass announced the availability of LastPass Authenticator, a smartphone app that provides push-based multi-factor authentication (MFA) for users of their cloud-based password management service. In this post, we’ll take an in-depth look at the architecture, communications, and security of the LastPass Authenticator app.  For this examination, we studied the behavior of LastPass Authenticator as installed on an Apple iPhone 5S. We’ve looked at the enrollment and authentication processes in detail in our lab in order to better understand the technology being used and whether or not the security is adequate for protecting a high-value asset such as LastPass. Protocol analysis and TLS decryption was performed using MITM proxy, along with a number of other packet sniffing and analysis tools.

LastPass Authenticator Setup Process

After installing the LastPass Authenticator app, users must associate their device with their LastPass account.  This is accomplished by logging into the LastPass account on a workstation, then accessing the “Multifactor Options” found under the LastPass Vault > Account Settings menu.  After clicking to enable LastPass Authenticator, the user is presented with a QR code to scan using their device's camera.  Once scanned, the LastPass Authenticator app is then associated with the user’s LastPass account and will be used to verify all future logins.

The QR code, and decoded data which it contains, are shown below.

LastPass Authenticator Setup

The QR code contains a time-based one-time password secret key (TOTP) in the standard URI format as defined by Google in their GitHub project documentation.

[box]otpauth://totp/LogMeIn%20Accounts%3A%20ejsmith%40fireoakstrategies.com?secret= I4PVS3MKRU6N43N6STCAHNAK5WWZIGVQ&issuer= LastPass&lmirequesttoken= 01_vGIxL2X2bI4YIC4M YAy7tDHfBSsnGPpSM8XqtQiyMNeRMrOzNuoLvQkH65 HPplVV&lmiversion=1[/box]

In addition to the required account identifier and a BASE32-encoded 160-bit secret symmetric key, the LastPass QR code contains a few additional fields, including “Imirequesttoken” and “Imiversion”.  In the QR code examined for this report, these values were as follows:

[box]lmirequesttoken=01_vGIxL2X2bI4YIC4MYAy7tDHfBSsnGPpSM8XqtQiyMNeRMrOzNuoLvQkH65HPplVV
lmiversion=1
[/box]

The presence of mixed-case text in the "Imirequesttoken" value suggests a BASE64 encoding scheme in the portion of the text following the underscore.  The 64 ASCII characters likely represent an encoded 384-bit key, which at first observations appears to be random, or at least has no obvious internal structure.

[box]00000000: bc62 312f 65f6 6c8e 1820 2e0c 600c bbb4 .b1/e.l.. ..`...
00000010: 31df 052b 2718 fa52 33c5 eab5 08b2 30d7 1..+'..R3.....0.
00000020: 9132 b3b3 36ea 0bbd 0907 eb91 cfa6 5555 .2..6.........UU
[/box]

When this QR code is scanned by the LastPass Authenticator App using the device's camera, the code is decoded, the data is extracted, and a TLS connection with https://accounts.logme.in is established as follows:

[box]https://accounts.logme.in/authentication/api/v1/authentication.svc/RegisterDevice[/box]

The following data is posted to the "RegisterDevice" service in JSON format:

[box]{
"deviceName": "Eric's iPhone",
"deviceType": "ios",
"notificationId": "ebc98c44a94d12e5049d22bc62d2c7e27ada263b5f23f930e364f548a117face",
"appType": "lastpass",
"requestToken": "01_vGIxL2X2bI4YIC4MYAy7tDHfBSsnGPpSM8XqtQiyMNeRMrOzNuoLvQkH65HPplVV"
}
[/box]

The TLS connection itself is negotiated using TLS 1.2, using a high-quality cipher suite (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) which provides perfect forward secrecy using elliptic curve Diffie-Hellman negotiated keys.    

The "requestToken" sent to the remote host is the same that was included in the QR code.  This token is used, as the name suggests, to maintain session state across two physically separate devices.  The use of this token permits the LastPass system to pair the device with the user's LastPass account.

The LastPass registration server responds with two new parameters, which are then stored on the local device by the LastPass Authenticator App.

[box]{
"RegisterDeviceResult": {
"deviceId": "5a42c41d-1b8a-48cb-a469-d540ceb4bfbd",
"deviceSecret": "lUDUbcnbUSuxGWFVPAKdmfTGP5nsVBuN4NjDr6pcoY5oI9MfgevrP4aB8svEG2Xo" }
}
[/box]

A new TLS connection is then established, this time to the "AttachUser" service, which sends a message combining the "requestToken" from the QR code with the "deviceID" and "deviceSecret" that were learned during the "RegisterDevice" process.  This serves to further link the physical device -- the smartphone or tablet -- to the LastPass account.

[box]{
"deviceId": "5a42c41d-1b8a-48cb-a469-d540ceb4bfbd",
"deviceSecret": "lUDUbcnbUSuxGWFVPAKdmfTGP5nsVBuN4NjDr6pcoY5oI9MfgevrP4aB8svEG2Xo",
"requestToken": "01_vGIxL2X2bI4YIC4MYAy7tDHfBSsnGPpSM8XqtQiyMNeRMrOzNuoLvQkH65HPplVV"
}[/box]

This is confirmed by the response from the LastPass servers  which includes the user’s email address -- something we had not seen in any previous transmissions.

[box]{
"GetRequestInfoResult": {
"requestId": "71UKK",
"requestTime": 1458428374,
"requestTimeout": 90,
"serverTime": 1458428387,
"userEmail": "ejsmith@fireoakstrategies.com",
"userId": "4fab24b8-a3a4-4f6d-a6d5-09a98cd29079"
}
}
[/box]

The LastPass Authenticator app is now configured, linked with the user’s LastPass account, and ready to process login authentication requests.


Note: this article is part one of a two-part series. Continue reading for part 2