Angry Lastpass users have taken to social media with reports that they’ve been struggling to access their accounts since the company’s security upgrade back in May. What’s more, there doesn’t seem to be a simple solution in sight.
What does this have to do with MFA?
The trouble began on May 9, 2023, when LastPass sent an alert to users, urging them to reset their multi-factor authentication (MFA) preferences. Yet, even after resetting codes on their authenticator apps, many users have reported being unable to log in to their accounts or access their LastPass vaults.
The Infinite Loop
Even worse, locked-out users can’t get help because one must be logged in to access support! Instead, they are prompted to reset the authentication app again and again while the system fails to recognize the new codes they’ve created.
“After resetting my MFA I completely lost access to my Vault. MasterPW is not working and resetting as well as the reset eMail never gets delivered to me. Cannot contact my ‘Premium’ Support as a Login is required,” said one user.
What happened with the upgrades?
According to LastPass, the company has now strengthened its Password-Based Key Derivation Function (PBKDF2), an algorithm “that makes it difficult for a computer to check that any 1 password is the correct master password during a compromising attack.”
The default minimum number of password iterations post-upgrade is now 600,000. In order to carry out this upgrade, LastPass says it was necessary to log users out of their accounts and require them to reset their MFA.
Lessons Learned About MFA
1. Keep It Simple
We all know that when processes are complicated, adoption rates are low. Bad for user experience = bad for security.
As evidenced by the recent LastPass situation, when processes are too complicated, they’re likely to be ignored (as in, the MFA doesn’t get enabled at all, or fails due to human error.)
LastPass issued instructions on how to reset MFA. For many, the instructions were just too complicated. If the instructions (several pages) weren’t followed correctly, users couldn’t log in.
2. Ditch the shareable secret
Password managers certainly can add a layer of security. However, a master password is still a password, so it’s potentially shareable, Phishable, and forgettable. Especially when following new protocols for an extra-long, extra-complicated string of characters. Once the master password is compromised, so can all your accounts potentially be accessed by unwanted visitors.
Furthermore, resetting passwords is costly, time-consuming, and annoying.
What’s the Solution?
Strong security, notably MFA, doesn’t have to be complicated. In fact, it should simplify the process – from enrollment to login while enhancing security.
With TraitWare, we’ve eliminated the need for any shared secrets – from enrollment to login. And the MFA is built into the solution, which means there’s no added friction for the user. It’s infinitely more secure, and there’s nothing to reset. Users can log in with a biometric that they’ve previously registered with the secure TraitWare app – and a mobile device that scans a one-time dynamic QR code for access to any screen. Single sign-on means users can access multiple accounts in one go.
Login in 3 touches. A few seconds and you’re IN.
If you must use a password manager, one option is to deploy passwordless MFA to log in to your vault. Keeper offers this option for enterprise accounts with TraitWare.
Seeing is Believing
Curious? We’d love to show you how TraitWare works to enhance security and vastly simplify login for the enterprise.
The post The LastPass Lockout – And Lessons in MFA appeared first on TraitWare.
