LastPass Can Now Store Two-Factor Authentication Keys In The Cloud

The company argues there’s no additional security risk to doing so, as long as they have 2FA turned on for LastPass itself

Password management service LastPass has added a cloud backup feature to its Authenticator two-factor authentication (2FA) tool, meaning the keys used to generate its one-off login codes can be stored online along with the user’s standard passwords.

Organisations including Google, Microsoft, Dropbox, Evernote and GitHub allow users to add a second login step that involves a standardised way of generating a temporary password, called a Time-based One-Time Password (TOTP).

LastPass Authenticator is one of the mobile apps that can be used to provide these credentials, competing with similar offerings from Google, Microsoft and others.

Secret key

To set up the feature, users typically scan a visual code that’s unique to the the account in question, and the resulting key generator is used to produce temporary credentials that are each valid for around one minute.

LastPass Authenticator can be used along with a standard LastPass account that stores a user’s password for all their online services.
Cloud Security
Until now, however, if the user’s device was lost or became unusable, they would be required to set up the TOTP feature once again for each of their online accounts on a new device, a potential incovenience LastPass said may have dissuaded some from setting the feature up in the first place.

The cloud backup feature means that when two-factor authentication is set up for an account, the key generator is stored online and can be automatically restored when the user sets up LastPass Authenticator on a new device.

“Everyone should be using MFA; we believe it’s foundational to online security,” LastPass said in a blog post announcing the feature.

Security fears

The company advised users to make use of the feature only after enabling two-factor authentication for the LastPass service itself – not doing so would mean nullifying the advantages of two-factor authentication, since anyone who gained access to a user’s LastPass account would then also be able to log into services supposedly protected by one-off authentication credentials.

“This new, opt-in feature… does not increase the level of risk to a user’s credentials stored within LastPass when their LastPass account is protected with multifactor authentication,” LastPass stated.

Users might still hesitate to switch the cloud backup feature on, however, since LastPass has been affected by a number of security issues in recent weeks, including several in the main LastPass service in March and a design flaw in LastPass Authenticator last month.

How well do you know the cloud? Try our quiz!