This post demonstrates that the LastPass mobile UUID can easily be spoofed. Unfortunately, the "UUID" of a mobile device does not, unlike a yubikey, offer replay protection. The response of LastPass was to offer access restrictions based upon the "UUID" of a mobile device. Yubikeys present a problem in the mobile space, however, as most mobile devices do not have USB ports, making it impossible to use a yubikey. The use of a yubikey in addition to a traditional password provides two-factor authentication (something you have and something you know), as the yubikey OTP can not be replayed. Any service can tie to a yubikey server, and authenticate that the OTP generated belongs to the correct yubikey.
Yubikeys are USB dongles that generate one-time passwords. One of the features about LastPass that I was really excited about was the ability to use multi-factor authentication to protect my LastPass vault, particularly yubikeys. The rest of the passwords need not be remembered at all, and can therefore be complex and rotated frequently. Until identity engineers find a sane way to collapse our tens and hundreds of fractured logins, services such as LastPass act as convenient gatekeepers for the bulk our passwords,Īllowing a person to remember only one strong password. This situation is thrust upon us by the current state of identity on the internet, where each of us is forced to remember myriad usernames and passwords. LastPass is a fantastic password management tool.įor most people, it dramatically increases password security by decoupling password complexity from the limits of human memory.Īny person that is forced to remember all of their passwords will, inevitably, pick relatively simple passwords and reuse them.
UPDATE: As of August 30, 2013, the LastPass Android application no longer uses the device's IMEI as the UUID.
0 kommentar(er)
