Password manager LastPass has added a new feature to its software: the ability to store two-factor authentication codes. This is great news. For hackers.
Increasingly, people with sense use two-factor auth as a way of ensuring that it is much harder for miscreants to break into their accounts, and to detect if anyone is anyone is trying to do so. A crook needs to know not only a victim's username and password, but also have their two-factor code to log in.
Typically, what will happen is that when you try to log into an account – say, a bank account – the process will send a one-off code to a device that it knows belongs to you (typically a mobile phone) and require that code to be entered before moving forward.
However, many companies, including Google, Facebook and Dropbox also offer the ability to generate one-off access codes from a device or app. You usually scan a barcode unique to your account, and this is used to calculate a sequence of access codes, with a new code every minute or so. When you log in, you provide your username and password, hand over that minute's code, and in you go if it's all correct.
And that's where LastPass comes in. LastPass Authenticator supports any service that offers a standard Time-based One-Time Password (TOTP) algorithm and will store the seed online in your LastPass account.
Great. Or not.
Because if someone gets into your LastPass account, it undermines the very advantage of having two-factor auth: that there is a second level of authentication using a different device.
Using a password manager piece is preferable over using a small number of the same passwords for everything because you are able – theoretically at least – to use a different and more complex password for every service.
But it risks creating of a single point of failure – everything is there. By putting two-factor auth codes in the same piece of software, that single point of failure becomes even more stark. It is placing eggs on top of an already egg-filled basket.
But of course in the real world, this is just a theoretical risk. So long as you use a complex password for your LastPass account, there is no reason to believe that your critical data is at risk.
It's not as if LastPass users were locked out of their accounts last week because of unspecified updates. Or that last month the company's own two-factor authentication implementation was found to have a serious fault in it. Or that its browser plugins have also had problems.
Nope, this is all a great idea. Nothing can go wrong with this. ®