LastPass vulnerability ‘beats the entire purpose’ of two-factor authentication

The problem lies in how they stored the QR code used for setting up 2FA.

LastPass, one of the web’s most popular password managers, had a critical flaw in its implementation of two-factor authentication, according to new research published Thursday.

The purpose of 2FA is to secure accounts and systems against attackers who already have your password. LastPass’s problem lies in how they stored the QR code used for setting up 2FA. In this case, the QR code holds the “secret” that will allow a user or an attacker to generate valid codes that serve as the second factor. Unfortunately, according to researcher Martin Vigo, LastPass stored that secret under a URL that can be derived from the password. That means an attacker with the password could then compromise the second factor of authentication.

“This literally beats the entire purpose of 2FA, which is a layer of security to prevent attackers already in possession of the password from logging in,” Vigo explained. “To put it in perspective, imagine that you have a safe in your house where you keep your most valuable belongings. Do you think it is a good idea to have the same lock for the door and the safe? Should the door key open the safe as well?”


Hackers can also disable a target’s 2FA by using a Cross-Site request forgery vulnerability if, for instance, a victim is phished on an attacker-controlled website.

Password managers are important tools that help users create and manage mountains of strong and unique passwords across multiple devices. They’re widely pushed by experts as the most effective way to handle numerous passwords but, like all software, they come with a set of problems all their own. In late February, researchers revealed a slate of vulnerabilities across many of the most popular managers on the market.

The question is not whether password managers will ever suffer from vulnerabilities. Instead, the developers must maintain and secure the software as quickly as is reasonably possible. In this latest case, the vulnerabilities were disclosed to LastPass, acknowledged and addressed to some extent in February. Vigo received an unspecified bounty for his work.

While all manner of password managers routinely face security issues, experts agree they all in the end make almost all users more secure than those who go without password managers.

Multi-factor authentication is widely seen by experts as crucial tools that help harden cybersecurity and defeat would be hackers by requiring more than just a password to login to accounts and systems. A second form of authentication can come in the form of a USB stick, an ID card, a smartphone or a mobile app.


This layer of security is so important that Sen. Ron Wyden, D-Ore., just demanded the Senate require multifactor authentication on all of its IT systems.

Latest Podcasts