undefined | Better HN

0 pointsslau9y ago0 comments

> Some people forget that email almost always works as a way to reset passwords

I recently switched distros on my work laptop and went on holiday. I didn't take the backup drive from the old install with me. I use KeePass. My company uses LastPass.

I had to log-in to LastPass, so grabbed my username and password from KeePass, and tried to log-in to their website. I was then greeted by a request to give the "Sesame" code. For those who don't use LastPass on Linux (maybe other platforms as well), Sesame is an OTP generator, installed on the user's computer.

I was stumped. I hadn't copied the Sesame install to the new distribution. Luckily, LastPass provided me with a helpful link "Disable Sesame for this account". They sent me an email to confirm that I really wanted to disable Sesame, I clicked the helpful link, and upon next log-in, just my username/password were sufficient.

The LastPass enterprise administrators (people in the company with admin access to our LastPass account) did get an email saying that I had requested the deactivation of Sesame on my account. They were... "surprised" to hear that I did it myself.

Edit: typo.

0 comments

2 comments · 1 top-level

throwanem9y ago· 1 in thread

That's a LastPass bug; if your 2FA can be disabled with nothing more than an email challenge-response, your second factor is just email.

For comparison, when I had trouble with Linode's 2FA - I set up a new phone and wiped the old one before realizing that Google Authenticator doesn't include TOTP secrets in iPhone backups, in effect destroying my 2FA token - and my scratch codes failed to work, I had to provide government ID matching my account information before their support department would disable 2FA on the account. I'm not overjoyed by the fact that an implementation error prevented my scratch codes from working, but I was pleased by the nature of the verification required to disable 2FA so I could log in again and re-enable it. Linode may have had some security problems in the last few years, but this at least they got exactly right.

bigiain9y ago

Keep in mind too that this argument chains - if your 2FA can be disabled with access to your phone/SMS, and your phone account can be updated with an email challenge response (or just a confident voice-call to your carrier's customer service), it's just one extra level of hoop-jumping for your attacker.