The current TOTP implementation in Lastpass only generates SHA-1 keys. Can this be extended to support more algorithms, like SHA256 and SHA512? Websites and other services are moving away from SHA1 keys.
Hi bas_! If I understand the above correctly then this is already enabled in the LastPass Authenticator App. For example, on Android you can go to Add account > Add manually > Change standard settings > I understand > SHA1 / SHA256 / SHA512.
Let me know if I've misunderstood though?
Hi @JohnAUK! We're using the TOTP function in the web vault/browser plugin, but we cannot change the session there. I assume the Lastpass Authenticator App does not use the same vault data/config?
Hi @bas_ ! If you select the 'edit' button for an account in your vault/browser and then enter the secret key in the filed titled 'One-time passcode' you will see the TOTP codes that are generated by the LastPass Authenticator - I believe that SHA1/256/512 are all supported but I'm currently checking with one of my teammates (All of these are definitely supported in the LastPass Authenticator App). If you have an Android device then you can get the secret key in your LastPass Authenticator App by selecting your TOTP code -- edit account --> secret key. We haven't launched this feature on iOS as yet though.
I hope that helps?
Hello @JohnAUK , sorry for the late response. We are an active user of the web vault and browser plugins, but the functionality is missing there to change the hash algorithms. The only option is to add a TOTP using a secret key, but that still defaults to SHA-1 with no other modifications allowed.
OK I get you now thanks for explaining @Bas. I'll pass this on to the relevant team at LastPass as my primary focus is on the LastPass Authenticator itself. Great feedback though and thank you!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.