Anyone wanting the vault, for an account with TOTP OTP, needs username + master password + TOTP OTP. That way, both the user and the server generate the same TOTP - 293 484 - to authenticate that they are who they say they are.įor LP, the TOTP OTP is used as one step to authenticate the user and allow the user to download the vault. Usually it’s disguised in a QR code that you scan, but that is what the secret is. The secret (starting sidj in the above) is shared - both the user and the server know it. If you put that secret key into any TOTP app, like LP’s or Authy, Google Authenticator, etc., it will take that secret, plus the current time, and generate a 6 digit code, like 293 484. It might look like something like this: sidj 3s9d as0s fps0 aso2. MFA is for authentication.įor anyone not familiar, if you are using TOTP OTPs, the server (LastPass) generates a secret key / seed. Probably after reading this thread, LP added another section in the recommendation page, confirming that 'the TOTP seeds used to generate the six-digit TOTP codes in your LastPass Authenticator are backed up to your LastPass vault using zero knowledge' such that they are also protected with your master password. Whether other seeds stored in the LP Authenticator were encrypted or leaked needs further disclosure. It seems that LP confirmed 'MFA seeds assigned to the user when they first registered their multifactor authenticator of choice to authenticate to the LastPass vault' were leaked, and they only recommend 'regenerate your shared secrets in your LastPass account settings' rather than other sites as well. So if you are using LastPass Authenticator, reset every seed stored in it.Īs comments pointed out, it is vague whether the TOTP secrets for other sites stored in the LP Authenticator were breached. They stored the key somewhere and the hacker took it along with the data. For some reason, this part was not encrypted using their zero-knowledge method (!). Not just the LastPass 2FA seed, but all the secrets in your Authenticator. I think the most important information from this was that they confirmed the 2FA seeds were leaked and decrypted.
0 kommentar(er)
