LastPass improves passwordless logins with FIDO2 authenticator support for desktops
Lastpass, maker of the password management service of the same name, announced today that customers may now use FIDO2 compatible authenticators on desktop devices for passwordless logins to their vaults.
The new feature is available for all customers, including free users, premium users, families and also business customers.
Up until now, LastPass customers had to use the LastPass Authenticator application on desktop devices for passwordless sign-ins. The company launched biometric authentication support for passwordless logins on mobile, but not on desktop; this changes with today's announcement that FIDO2 compatible authenticators may now be used on desktop devices.
Customers who use the LastPass Authenticator application to sign-in to their vaults may continue using so, as nothing changes on that front. There is the possibility to switch to using a different authenticator now, and customers who never enabled passwordless login support for their account may select either of the available options, if they want to set up passwordless authentication for their account.
FIDO2 compatible authenticators include biometric sign-in options provided by the operating system, e.g., Windows Hello on Windows devices, and also compatible hardware keys, such as Yubikey. How users authenticate the sign-in depends on the selected method. It may happen via a scan of their face or fingerprint, approving a push notification, or verifying the login via a hardware key.
Passwordless is a new form of authentication that is designed to replace passwords entirely in the future. The main idea behind the authentication standard is create secure keys locally on devices and use these for authentication. Instead of having to type passwords to submit their hashes to sites, which need to have the hashes stored to verify login attempts, nothing critical needs to be stored by the sites. While some data needs to be stored, this data alone is worthless. Passwordless eliminates phishing threats, certain network spying attempts and more.
LastPass has created and published a short introductory video:
Closing Words
LastPass customers have three options now when it comes to passwordless sign-ins: use the LastPass Authenticator app, use a FIDO2 compatible system that uses biometrics, or use a FIDO2 compatible hardware key.
Some of the company's applications and extensions may not support FIDO2 yet, judging from this paragraph of the announcement: "With FIDO2 Authenticators, LastPass Free, Premium, Families, Teams and Business customers will have more options when it comes to setting up passwordless login to the vault on desktop browsers and Chrome and Firefox extensions, Safari browser extension and desktop application support is coming soon."
Existing users may check out the following support page for guidelines on enabling passwordless authentication for their account.
LastPass has had a rough time in the previous years. The company disclosed a security breach in 2022 and a follow-up breach in which customer data was among the data the attacker copied.
Now You: does your password manager support passwordless authentication??
I used LP for years; I wouldn’t touch it now. They’ve had well-publicized security issues, they’ve steadily deprecated features from the free version, and they have a habit of ignoring Firefox users.
There are free, proven, open-source alternatives (KeePass, both regular and XC, and Bitwarden are the first 2 that spring to mind).
Such a lovely implementation…at least with the desktop Firefox extension.
Before enabling passwordless logins:
1. enter master password into the extension
2. enter Google Authenticator OTP and click remember for 30 days
3. until the browser is updated to a new major version, just the master password is needed
After enabling passwordless logins:
1. enter master password into the extension
2. a new website opens where you need to re-enter your email and master password
3. enter Windows Hello PIN
4. repeat the whole thing each time the browser gets restarted
I was promised something that works almost instantly and doesn’t need the master password at all, but now it takes thrice as long as the normal login method and even requires two master password entries…it would be nice if they at least copied Microsoft and their “tap the same number on your phone that is shown on the computer screen” or Valve’s “scan the QR code to login”.
“Biometric authentication” is the unique for one and only ultimate authentication method, but that is why it is the ultimate risk.
The data (fingerprints, irises, voiceprints, etc.) is desired by the state wants it in the name of security, and is likely to be a popular target for trading on the black market.
The lesson of all ages and countries is that good intentions are destined to be defeated by malice, and that the cycle of cat-and-mouse is never-ending.
“Antibiotic penicillin”, which was touted as the ultimate prescription drug, eventually “resistant bacteria” appeared, and streptomycin and vancomycin were the same, furthermore a never-ending (in addition, nosocomial infections with strong resistant bacteria are expanding) struggle continues.
It was touted as “eternal peace under the nuclear umbrella”, but the reality is a truism.
The large international company I worked for “concluded never to introduce a biometric system”.
Because it is the ultimate, “biometrics” should be avoided.
> The large international company I worked for “concluded never to introduce a biometric system”.
The reason for this is that “it is ideal as an authentication system, but its data management (leakage countermeasures and maintenance management) is absolutely impossible”.