cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
New Contributor

MFA with One-Time Passwords

I'm trying to test One-Time Passwords with my hypothetical emergency use scenario.

I envision that I am traveling and all my electronic devices have been lost, stolen or destroyed. I need to log on to Lastpass.com from a random PC that I do not trust as it might have a keylogger. I will log on using a One-Time Password that I have generated in advance. I have Grid Authentication turned on and still have access to the grid. I have Lastpass Authenticator on my phone as the default MFA device, but the assumption is that the phone has been stolen. I also have email verification of new devices turned on.

I just tested this scenario and found that while I can initially log on with my OTP, I am presented with a challenge to enter the TOTP code from the authenticator on my phone. I have the option of receiving a code via SMS, but in this scenario my phone has been stolen.

I see no option of using my Grid to authenticate. Is there no way to do this?

Is there no backup means of MFA when using One-Time passwords? Any advice is appreciated.
2 REPLIES 2
Highlighted
New Contributor

Re: MFA with One-Time Passwords

I found that if I set my default MFA to Grid, then the One-Time Password login will ask me for my grid. On normal logins the newly implemented MFA Fallback allows me to use the Grid or select other methods like the LastPass Authenticator.

Will the MFA Fallback mechanism for normal logins be implemented also for One-Time Password logins?
Highlighted
New Contributor

Re: MFA with One-Time Passwords

I think I found another issue.
If you setup a "Require Master Password Reprompt" in any entry, if you want to see or copy a password i.e. it will ask you to insert the master password and NOT the OTP, which defeats the purpose of a potential keylogger.
Why would you use an OTP to login the vault if you will be asked to enter the Master Password right after?

 

iR