I have multiple YubiKeys and recently started refreshing my keys to the latest versions. While transferring my accounts to the new keys, I noticed that there is absolutely no way to differentiate them in the LastPass account management page. This lack of identifiers makes the process unnecessarily cumbersome and it should really be a trivial thing to remedy.
Most other services allow you to give each key a nickname and provide you with the date that they were added. e.g. GitHub:
Nicknames and Registration dates are useful
If one were to have a single one of their keys compromised in a disaster scenario (e.g. it gets stolen), being forced to resort to remove each and every key from their account and then subsequently re-add each key they wish to use would be a thoroughly infuriating process (and - if their YubiKeys are their only form of 2FA - needing completely removing all devices could essentially mean forcing them to completely disable 2FA for their account for a period of time).
... View more
Add a "lock" function to LastPass in the web browser extensions, similar to the PIN lock function of LastPass on mobile (where LastPass stays "logged in" but cannot be used until the user enters a PIN, instead of the Master Password), AND: Instead of a PIN or anything that the user manually types in, the user (re-)activates the (locked) LastPass session by tapping their Yubikey.
Use case and justification:
For users who have limited motor ability, such as neurodegenerative diseases like Parkinson's Disease, or serious arthritis, or a number of other conditions, typing long, complex passwords (such as a LastPass Master Password) a challenge or is practically impossible.
As a result, such a user is forced to choose among several bad alternatives in order to make good use of LastPass:
The user could stay always logged in to LastPass; or The user could use a weak (easily typed) Master Password; or The user could keep the LastPass Master Password in a text or other file on the computer so as to be able to easily copy and paste it whenever it is needed to log in to or otherwise further authorize functionality in LastPass.
Staying always logged in may be acceptable on a very strongly secured computer, a computer operated by a security expert. I do this. I am a security expert. And it still is a risk.
Most users are not security experts. Their computers may be more-or-less well-secured (for most users, less) but staying always logged in is a risk that the user should not have to take due to a lack of this functionality in LastPass.
Using a weak Master Password is obviously bad.
Keeping the LastPass Master Password in a text file on the computer puts the user's LastPass Vault at risk in case the computer would be compromised. (Bruce Schneier referred to this in an article in 2014 about the problems with passwords generally, not specific to password vaults, pointing out that even already seven+ years ago, thieves compromise computers and then scan all files, deleted space, and RAM, looking for things that might be passwords, and then test those passwords against valuable properties like bank accounts .. and of course password vaults).
Yes, 2-factor authentication of LastPass is a defense against this. But we shouldn’t have to rely on it.
So, these physically limited users' necessary use case – the necessary use case of any user who cannot readily type a long, complex password such as LastPass Master Passwords should be – is to be able to “stay logged in to LastPass” in the sense of not having to re-enter the Master Password, while “locking” LastPass in the same way that we can on a mobile device (but which is not a feature of LastPass on the desktop) .. AND THEN being able to “unlock” LastPass by tapping the button on a YubiKey.
... View more