Device based Master Password and 2FA

cancel
Showing results for 
Search instead for 
Did you mean: 

Device based Master Password and 2FA

0 Kudos

Device based Master Password and 2FA

A]
Due to keyboard layouts entering passwords on a phone or desktops differ.

So my request is the option to have two master passwords.

 

B]
In fact I would like to have all 2FA options being linked to device instead of being global.

Again because the hardware differs between my phone and desktop; so the most handy 2FA varies per device.

Also because my desktop is in a far more secure environment than my phone so 2FA might not be needed.

 

 

1 Comment
Zoox
Active Contributor

Commenting on my own point A].

 

Most if security experts and companies making security related software (LastPass) overlook that is a great way and with that greatly contributing to insecure passwords.  Dare I say 'force' users?

They fail to understand that while the math behind password recommendations is perfect, it will be useless if the user doesn't use it because it's time consuming.

 

I'm going to explain what I mean by giving a hypothetical example.

Adding a special character to your password (greatly) increases entropy.
But if typing such a character takes 5 extra steps many people will not use it; and with that lowering security.

So perhaps typing a ® on your phone is easy (varies by keyboard app you have installed) but hard on your PC.

Then many people will decide not to use ® at all.

But if LastPass allows for different master passwords the user could pick a more convenient special character on the PC.

 

The main step in improving security is not ease of use.

Not another 2FA method.

Not a better password generator.

Not encrypting the database with a better cypher.

 

It's always the weakest link that's under attack. The master password.

What I would view as the most significant upgrade for LastPass is the ability to enter a password with a 160 bit entropy, without being very long.

And that's done by greatly improving on the user friendliness of the UI.

Yes, advising very long passwords won't help either. If you think that's not true then I dare you to enforce a 20 character master password. Just see how may customers you lose in a short time 🙂

 

I wish you a happy and secure 2022.