LastPass Bypass of Two-Factor Authentication

One of the things I have noticed lately is that LastPass is only using my password to login and not using my two-factor authentication. I asked them why this was happening and they sent me to the page below. I tested this out by logging out of LastPass and then disconnecting from my wireless network. I logged into LastPass with just my password and it logged in. Apparently all you need is a password in Offline Mode.
https://lastpass.com/support.php?cmd=showfaq&id=2775

Another way to turn off two-factor for your personal laptop/desktop is when you login next time, click on the button that says – “This is a Trusted machine.” This allows you to bypass two-factor on a computer/phone that you use on a daily basis. You can also turn this off under your Account Settings – see below.

LP-trusted-devices

…………………………………………………………………………………………………………………………

Why can I bypass 2 Factor Authentication to login to the current site my browser is on?

To validate your multifactor token, multifactor authentication requires that you have an Internet connection: if you do not pass LastPass a correct multifactor token, LastPass will never release your encrypted data. However, LastPass also has an ‘Offline Mode‘: it keeps a locally cached encrypted copy of your data on your local device so that you’ll still be able to access your data even in the event that you do not have Internet access. On some connections, when you log in to LastPass you are logged in offline to the locally cached copy of your data before it can authenticate online. As a result, you might experience cases where LastPass will fill in the credentials for the current page you are on before you provide us your LastPass multifactor token. If you want to prevent this behavior, do the following:

Clear your Local Cache after each browser session:

  1. Log into LastPass
  2. Click on the  LastPass Icon > Tools > Advanced Tools > Clear local cache
  3. Logoff LastPass

or Disable Offline Mode – THIS SEEMS TO HAVE CHANGED AND IS GONE.

  1. Go to your account settings.
  2. Click on the Multifactor Tab
  3. Toggle ‘Permit Offline Access’ to ‘Disallow’
  4. Update
Advertisements

About Tom Terrific

Interested in MANY things.
This entry was posted in LastPass. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s