LastPass Bug Fix Points to Importance of Multi-Factor Security

“The new LastPass Authenticator update provides a straightforward fix: Now you can’t access the TOTP codes without a fingerprint scan or PIN, if that additional security feature is enabled.”

LastPass has upgraded the security of its LastPass Authenticator app to address a reported bug.

The issue revolved around the password manager app’s time-based one-time password (TOTP) feature, and its support for multi-factor authentication via a fingerprint scan or PIN. Users have the option of adding the latter security so that even if their device is unlocked, a third party can’t gain access to their LastPass vault without a fingerprint scan or PIN; but a security researcher recently found a way to access the app’s TOTP codes without fingerprint or PIN authentication.

The new LastPass Authenticator update provides a straightforward fix: Now you can’t access the TOTP codes without a fingerprint scan or PIN, if that additional security feature is enabled. But even before the fix, the TOTP bypass issue wasn’t so devastating. As the company points out in its announcement of the app update, “the one-time codes are useless without the username and password for the services they are used.” In other words, a hacker would need the victim’s key credentials to take advantage of the TOTPs, so at the point the victim would already be pretty deeply compromised anyway.

Still, for a password manager app like LastPass, the fix was absolutely necessary, given the critical nature of watertight security in this area, and the importance of combining password-based security with biometrics, or at the very least a PIN.