FIDO2 U2F support

cancel
Showing results for 
Search instead for 
Did you mean: 

FIDO2 U2F support

FIDO2 U2F support

I cannot possibly believe no-one else has requested this???

 

All other 2FA options are vulnerable to phishing / MITM reverse proxy attacks, and only U2F can prevent this.

 

PLEASE guys add U2F support to LastPass!  Yubikey OTP or Authenticator based 2FA methods are not safe.  All a hacker has to do is to ask the victim to log in to a URL which is 1 character different e.g. https://laslpass.com/?ac=1&lpnorefresh=1 and then they can download your entire unencrypted vault, even if 2FA is enabled.

 

This is a huge security hole.

2 Comments
schmitmd
New Member

Ron, I'm with you completely.  This is ridiculous.  I've shot out a Tweet to LastPass, but who knows if they'll reply or even see it. 

 

Personal opinions and observations incoming:

Based on what I'm seeing online, LogMeIn/LastPass has majorly dropped focus for end-users in favor of working to improve the enterprise side of things.  Getting U2F in place would benefit both of those verticals, except for the fact that they paywall YubiKey's original OTP functionality.  They'd either have to paywall U2F as well (and suffer the PR nightmare that would be) or...do nothing.  Seems like they've chosen the latter.

 

Maybe my coworkers are right and I need to look into jumping ship to Bitwarden after all.  I was holding out for them to get a security audit, but that's long since been completed and the project has reached a decent maturity..

--edit--: Looks like Bitwarden's U2F functionality is paywalled too, so maybe I'm wrong about the PR thing.  Even paywalled though, this feature is super important and the fact that it's not already in place is kinda shameful.

https://twitter.com/schmitmd/status/1378486956582174724

RonWeasley
Active Contributor

To re-emphasize the importance of this, the domain 1astpass.com (note the leading 1, not L) is already registered with someone. 

 

You thought you were safe with your 2FA, but you get a phishing email asking you to login to the above site (or similar) and then the man-in-the-middle reverse proxy just passes your details to lastpass, which logs you in and potentially the MITM now has full access to your vault. Just watch:

https://youtu.be/2rvPXgG-6QM

 

We must have WebAuthn or FIDO2 U2F authentication in order to prevent this kind of attack. 1password has it. Dashlane has it. Bitwarden has it. Come on LogMeIn guys, please!