cancel
Showing results for 
Search instead for 
Did you mean: 
GlennD
GoTo Manager

Passwordless is possible - today!

What is Passwordless? 

Passwordless login is a new way to access your LastPass Vault without having to enter your master password. Once set up, you will simply authenticate, rather than having to type a password to access your vault.  Here’s how to set it up. 

 

So, do I need my master password? 

Yes, for now. There are three scenarios where you'll need your master password: 1) to set up passwordless login, 2) in case of a failed authentication attempt, or 3) to make security changes to your account. Eventually, LastPass will remove the master password altogether, but that takes time. This is just the first step in LastPass' passwordless journey. 

 

Is the Authenticator app the only way to use Passwordless? 

The LastPass Authenticator app is the first authentication method to be released. Over the next few months, LastPass will be introducing additional methods to log into your vault including biometrics and security keys like Yubikey. 

 

Glenn is a member of the GoTo Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!
57 REPLIES 57
mojomarc
New Contributor

A public key gets sent to the server (in this case LastPass) but the private key is on the device you already have and never gets transmitted. so rather than send a password over the web, which can be easily hacked, you're sending an encrypted token that can only result in decryption of the server sends out back to the correct private key. You need both to successfully login. It makes it substantially harder to be hacked, subject to man in the middle attacks, and it is basically impossible to be phished. I'm not a huge expert so I may be slightly off in my understanding.

Can you be tracked by it? That depends entirely on the application. For my company registered device, the challenge adds Location data so I can see where a request comes from in the world. This means before I answer the challenge I can see if it came from my vicinity of from 6000 miles away. I think from a security perspective this is great personally. I just wish this wasn't limited to LastPass Authenticator....
Kevin67
New Contributor

Does anyone know if the LastPass folks even monitor this community thread for questions/concerns that are raised or is this community page just  paying customers and no involvement from LastPass support/product management/etc?

mojomarc
New Contributor

I don't think I said anything different than that, really. I think maybe my comment about "domain credentials" was misconstrued to mean password, when I was really meaning "domain username". I haven't had to enter a password on my work PC in three years.
jcwalk
New Contributor

I tried to follow the direction to set up passwordless. However, after I clicked "LOG IN WITH AUTHENTICATOR" the push notice won't appear. I checked the notifications settings on my iPhone and all settings were fine. The "Allow Notification" was ON in the Authenticator app settings. I'm not sure if I missed anything. Please help. TIA!

Zoox
Active Contributor

" It makes it substantially harder to be hacked, "

I fear it's the opposite. The app will make things far more insecure for many users.
The reason is simple; most users have one phone and both the Lastpass and authenticator are on the same phone. Once the attacker has your phone he has complete access to everything.

Once the authenticator app gets mandatory I cancel my subscription.
Far, far better would be giving the user (a combination) of options.
fingerprint, pin, masterpass and authenticator.

This new feature sounds nothing more than a marketing gimmick.

Zoox
Active Contributor

It's impossible to know they read this rather long thread.

But as you noticed they never answer any questions. I think that's a bad thing both for us and them.

We don't get our answers. Potential new customers look and conclude "This is one of those companies that turns silent once they have my money".

Many questions could have been answered by writing a decent press release.  I don't want to be rude but what I received is simply extremely bad. No explanation whatsoever.  A company based on security must know in advance at least half of the questions asked in this thread. If they don't, they don't care or don't really know what they are doing.

Zoox
Active Contributor

Hopefully the LastPass folks will correct me if my assumptions are wrong, but I think there is a lot of consternation about losing phones that really aren't that scary once you've used passwordless 

 

They should have answered that in their initial press release.

a- If my phone gets stolen, can the thief access my passwords using the authenticator app?

b- If my phone dies, can I set up a new authenticator on my new phone?

Right now the answer to question b is yes because you still can do all sorts of things in you account using your masterpassword. But in their press release they wrote that 'soon' the masterpassword is totally gone.

Those two questions keep returning in many shapes and forms in this thread. They should have been answered in the initial press release.

snyde
New Contributor

Hello, I was able to set up passwordless on a single device (call it 1) with the LP Authenticator. So far so good. But I have another device (call it 2), which is my backup in case anything goes wrong, and I would like to set up LPA on that one too. I was able to set up passwordless on device 2, but I still need to approve from device 1. Useless if device 1 gets lost. If it was Google Auth I would just display the QR code again and add it on device 2, but now there's no option to display it anymore for LPA. How can I add my account to LPA on device 2?
Thanks.

mojomarc
New Contributor

"I fear it's the opposite. The app will make things far more insecure for many users.
The reason is simple; most users have one phone and both the Lastpass and authenticator are on the same phone. Once the attacker has your phone he has complete access to everything."

This isn't the right way to look at it. First, your phone should be secured. I know I use face ID on mine, so if someone gets a hold of my phone it is difficult to get in for them. Second, your vault is still secured by password and (if you're smart) a second factor. Third, the way passwordless works is that is passes the public key to the website you're logging into, not your vault. And typically (not sure how LastPass well implement, but this is how it works for my work) the tokens typically last only one session, and to get access to the Microsoft Authenticator I have a second biometric factor in FaceID. So if someone gets a hold of my phone I am not all that worried, assuming this is how LastPass does it as well. I mean if this works for Windows Hello with a half billion PCs daily....

And it really isn't a new marketing gimmick. It basically makes phishing attacks impossible, and phishing is the most common attack vector and the most successful. Any MFA is better than straight username/password, but when there is essentially no password to enter them it makes it much harder to trick someone into giving it up.
DanaN
Active Contributor

I had this same experience, a few minutes ago. Odd. However, I *was* able to open my vault, in kind-of the old-fashioned way.

My laptop's screen had a place where you can enter a passcode from the LP Authenticator. I opened that app on my phone, found the numbers for the passcode, and typed them into the field on my laptop. LastPass came right up.

So it turned out to be a little klunkier than promised. But it didn't prevent me from getting to my vault on my laptop.