nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Will LastPass ever support WebAuthn or Fido2 / U2F?

ron.weasley

As people may be aware, currently LastPass supports Yubikeys and 2 factor authentication, but ONLY using the much less secure OTP (One Time Password) functionality. Whilst much better than no second factor, OTP is not very secure, and is vulnerable to targeted phishing and man-in-the-middle attacks.

Pretty much ALL of the other leading password managers - off the top of my head, Dashlane, 1Password, Bitwarden, Keeper - all support U2F or WebAuthn. Even Chrome and Edge password managers support it. But Lastpass lags behind still only supporting OTP.

This is a very bad situation for something such as a password manager, which IMO should be absolutely as secure as possible. Many people have requested U2F support already, but there seems to be no news.

Please can LogMeIn look into supporting U2F/WebAuthn as soon as possible?

Find more posts tagged with

Accepted answers

All comments

glenn.dobson

Hi@"RonWeasley"

Will we ever support FIDO2? The answer is yes. It has been discussed already, but I do not have an ETA for when it will be available. I understand that you are trying to make a point, but I think your claim about LastPass being "easily hackable" because we do not support FIDO2 yet is alarmist.

I encourage all to vote and comment on Feature Requests that matter to them, it helps us prioritize existing work that is already planned and identify new improvements that matter to the majority of our customers.

ron.weasley

With respect Rachel (and with respect to other LastPass users), I suspect most of them do not either (a) realise why they need WebAuthn, and/or (b) realise that your Yubikey implementation is OTP only.

So IMO you should not judge the importance of this feature according to how many people request it. Surely, keeping peoples MOST valuable secrets - such as their banking details - secret, is the most important thing? And OTP is simply not safe.

It's IMO pretty irresponsible to be offering a security framework which is easily hackable, and especially negligent considering all your major competitors support U2F or WebAuthn already. I think LogMeIn are morally obliged to prioritize this, even if no-one requests it!

EDIT: I might add, who accepted your response as a solution? My original question remains unanswered and therefore I do not accept your answer as a "solution".

rachael.orovets

Hi@"RonWeasley",

We do have an open Feature Suggestion here for adding WebAuthn or Fido2 / U2FYubikey support here: we would recommend commenting or giving a kudos on this idea so that the product team can gauge the interest from users and hopefully add this option in the future.

ron.weasley

Good news that it is on the roadmap - I was unaware of this.

And I am not trying to be alarmist - apologies if it came across that way. There's no point in my being so because let's face it, like maybe only 0.001% (if that) of Lastpass users will ever see this thread. It's YOU guys - LogMeIn developers - I am trying to impress the importance of this upon.

And again, I put it to you, this is something you should be prioritising even if no-one voted for it. Just as you'd prioritise any other security loophole you became aware of, even if no-one voted for that.

But is a reverse proxy MITM attack easy to set up by criminals? Yes, I would say it is. The average user is just gambling that they should be lucky enough never to be a target, and never to be caught off guard.

Chris Meyer

In addition to the security concerns already mentioned, I'll bring up another few points.

I now view SMS messages as an account recovery option as a liability since it has been shown recently how easy it is to hijack a phone number (Google search for recent accounts of this). Webauthn with SMS recovery is basically a huge security risk at this point. Thankfully that is not required for LastPass currently.

Numerous browsers now support Webauthn on phones and computers where the environment has been deemed secure (i.e. secure enclave, etc.)Ideally I'd like to be able to configure Webauthn to work from *multiple* browsers on *multiple* computers. I use LastPass on my phone (Chrome), Macbook Pro (Chrome, Firefox, Safari), and Windows machine (Firefox). If you're going to do Webauthn, please allow users to add multiple instances, much like how Microsoft allows you to have multiple browsers, hardware keys, etc. as means to log in. One time passwords to recover are also nice. SMS to recover is a major liability.

An example of how NOT to do things on a popular website is Coinbase, which allows one FIDO device and only allows SMS as a recovery mechanism. Not a great solution.

glenn.dobson

Just so there is no confusion, FIDO2 is already on the list of must haves along with some other high priority work and we plan to deliver it in 2022. Once we are close to a release state we can talk about ETAs.

ron.weasley

@KnoxJohnstonAbsolutely agreed!

We must have the ability to enable WebAuthn / FIDO2 *and* if we so chose, to disable other authentication methods. Just like Google does with its Advanced Protection Program.

Sure, there's a risk customers may lock themselves out forever, but SURELY it is up to the customer to decide? If you are really paranoid, then maybe require 2 or more security keys before allowing customers to disable SMS recovery?

What on earth is the point of having a fabulous unpickable lock on the front door of your house, if the back door has a crappy old lock you can open with a spoon???

glenn.dobson

Hi@"RonWeasley"

We originally planed to have something by the end of 2021, but this had to be pushed out to the start of 2022. My understanding is we are actively working on this now. I will definitely post an update for everyone in this thread once I have news to share.

ron.weasley

@GlennDHi again - I hope you are well?

Since 3 months has passed since your last post on this, I am wondering if there is any news on U2F / WebAuthn developments? I was pleased to read the announcement of increased investment, and hoped that this is an area of focus for such investment?

LastPass is IMO the best of the bunch of password managers but this reliance upon OTP is IMO the one area which lets it down badly compared to your major competitors.

ron.weasley

Hi@"GlennD"

Thanks for the info - that's great news! Hopefully not too long to wait.

Cheers

logmein

Glenn, it's wonderful news that LastPass will have this essential security functionality. Looking forward to seeing an update with a rollout date soon.

chris

@GlennD are you able to provide an ETA for WebAuthn support? Thank you.

ron.weasley

Hi@"GlennD"Hope you are well?

As May fast approaches, I am wondering if there's any news on WebAuthn (/Fido2 U2F) support? I believe you said it was originally planned for late 2021, but since slipped into early 2022.

Thanks

ron.weasley

Sorry to be replying to my own post, but sometime software vendors make available product roadmaps. I know my company does, and incidentally I know Bitwarden do. Might this not be a good idea, so that customers know what to expect and don't have to keep hassling support staff over likely availability dates? If WebAuthn is not coming for many, many months at least if we know that, then we can plan accordingly. And if it's coming sooner, then ditto. We just need some predictability, and yes, we understand plans can change. But at the moment, it's just like a black hole with no information coming out.

No idea if WebAuthn is coming next week or next month or next year.

tim

Again, a bit more transparency on ETA would be great. I'm currently working with one of my clients on a WebAuthn deployment, and LastPass is currently their largest uncertainty, and this is making planning difficult.

This feature appears to have slipped. No problem, these things happen, but please keep your users updated!

ron.weasley

@GlennDCome on Glenn, please!

It is now 3 months since we had any update on this, despite numerous requests. I don't know if you are just busy but it's starting to feel like customers are just an annoyance who will go away if you ignore them.

Please can we have an update on when we might reasonably expect WebAuthn support?

ron.weasley

Well, sorry to say this but having used LastPass for many years, enough is enough.

Shame. I would have staying with LP if we'd got some movement on this IMO critical feature which has been lacking for so long.

Cheerio.

tim

FWIW, it's stated that hardware security keys (FIDO2 / WebAuthn is implied) will be supported "later this year" on the LastPass blog post dated June 6th 2022 "Passwordless Is Possible: LastPass Gets You There Sooner".