Proposals to improve LastPass Chrome extension

Question

Here are few things I spotted and can be improved further

* If user enters wrong password in Chrome extension having correct email, LastPass explicitly says that password is wrong. Solution: Update error message to be: wrong email or password, please try again. Therefore, it is not clear for potential brute force attacker what is exactly wrong email or password.
* While using Yubico Yubikeys LastPass chrome extension does not ask for security key's PIN. Solution: Ask security key PIN each time security key used as second factor. Example: google auth flow using security keys. Google asks for PIN of passkey each time it is used as second factor

kolosovp94 · Answer

1) this it the message I got from device authorized for login, it was approved via email previously
Definitely, it requires that attacker has physical access to the device (which is quite unlikely, but still possible), but still it is better not to specify that precisely master password is incorrect.

2) About to ask PIN of Yubico security keys, documentation states that "PIN prompts are a result of a WebAuthn setting known asUser Verification. This setting is controlled by each service provider." See https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs

It is still subject for user experience (not all users probably want to type PIN each use), probably it is fine to add some additional setting to Chrome extension so that user can decide to turn it on or off

For me personally: I'd ask to enter PIN each use of security key.

LastPass Support · Answer

Hello @kolosovp94​,

My name is Henry and I am happy to assist with your inquiry, and appreciate you contacting LastPass Support!

Thank you for your comments. Let me review each of them:

For the first one, this is the message shown when I tried to log into LastPass using the Chrome extension with an incorrect password:

It does not specify that the password is incorrect. If you get the message following specific steps, please provide them.

On your second suggestion, regarding the PIN. Yubikey is already considered a 2 factor authentication. Within LastPass settings, there is no option currently to enter the PIN. I will escalate this feature request to my team. This does not guarantee that it will be implemented but our team will review it.

Thank you,

Henry | Customer Care