FIDO2 U2F support

cancel
Showing results for 
Search instead for 
Did you mean: 

FIDO2 U2F support

FIDO2 U2F support

I cannot possibly believe no-one else has requested this???

 

All other 2FA options are vulnerable to phishing / MITM reverse proxy attacks, and only U2F can prevent this.

 

PLEASE guys add U2F support to LastPass!  Yubikey OTP or Authenticator based 2FA methods are not safe.  All a hacker has to do is to lure the victim to log in to a URL which is 1 character different e.g. https://laslpass.com and then they can download your entire unencrypted vault, even if 2FA is enabled.

 

This is a huge security hole.

8 Comments
schmitmd
New Member

Ron, I'm with you completely.  This is ridiculous.  I've shot out a Tweet to LastPass, but who knows if they'll reply or even see it. 

 

Personal opinions and observations incoming:

Based on what I'm seeing online, LogMeIn/LastPass has majorly dropped focus for end-users in favor of working to improve the enterprise side of things.  Getting U2F in place would benefit both of those verticals, except for the fact that they paywall YubiKey's original OTP functionality.  They'd either have to paywall U2F as well (and suffer the PR nightmare that would be) or...do nothing.  Seems like they've chosen the latter.

 

Maybe my coworkers are right and I need to look into jumping ship to Bitwarden after all.  I was holding out for them to get a security audit, but that's long since been completed and the project has reached a decent maturity..

--edit--: Looks like Bitwarden's U2F functionality is paywalled too, so maybe I'm wrong about the PR thing.  Even paywalled though, this feature is super important and the fact that it's not already in place is kinda shameful.

https://twitter.com/schmitmd/status/1378486956582174724

RonWeasley
Active Contributor

To re-emphasize the importance of this, the domain 1astpass.com (note the leading 1, not L) is already registered with someone. 

 

You thought you were safe with your 2FA, but you get a phishing email asking you to login to the above site (or similar) and then the man-in-the-middle reverse proxy just passes your details to lastpass, which logs you in and potentially the MITM now has full access to your vault. Just watch:

https://youtu.be/2rvPXgG-6QM

 

We must have WebAuthn or FIDO2 U2F authentication in order to prevent this kind of attack. 1password has it. Dashlane has it. Bitwarden has it. Come on LogMeIn guys, please!

 

 

 

ampedtogo
New Member

+1. Have had a family/premium subscription for a few years now, using YubiKey with Lastpass for MFA. We are long past the point when the FIDO protocols were new and OTP was an acceptable stopgap solution. There are plenty of articles like this one describing how to conduct a MITM attack. 

 

I really like Lastpass but this one issue will drive me to a competitor if it is not resolved soon.

RonWeasley
Active Contributor

Thanks for your support @ampedtogo 

 

The article you linked makes for damning reading doesn't it.  This is what LastPass say "The privacy and security of our customers data is always a top priority here at LastPass" - Lastpass blogg, February 2021.

 

So high up their priority list that they have not implemented U2F after many years of people asking for it?

password123
New Member

I'm moving my company's account if this does not get implemented within the next year.  $2,500/yr in rev lost.  

koreka
New Member

Couldn't agree more.  Is Lastpass silent on whether there's a roadmap to support FIDO U2F?  If so, there's no reason for Lastpass Premium members to migrate over to Bitwarden Premium or some similar service which does support FIDO U2F. 

damonmaria
New Member

Even Safari supports FIDO/U2F. For a security focused product this is embarrassing. 

RonWeasley
Active Contributor

@damonmaria, thank-you, I could not have put it better myself. Embarrassing.

 

It's about time the reviews started shaming Logmein over this. Dashlane, Onepassword, Bitwarded, Keeper (and probably others, but this is just off the top of my head) all support U2F.

 

U2F missing from LastPass should on its own, be enough to make reviewers recommend people to not use it and to choose an alternative.