Home » 2FA

Tag: 2FA

Lastpass and Google Authenticator

Design flaws in Lastpass 2FA implementation

As part of a Red Team engagement I found myself looking for a way to bypass two-factor authentication (2FA) in Lastpass. Unfortunately this happened before Tavis Ormandy reported multiple 0-days in Lastpass. Would have saved us so much time! Anyway, 2FA is an additional layer of security to protect user accounts from attackers that have already compromised your password. I mention this because it is key to understand the purpose of this post.

When you login into a service using your username and password, you will get an additional challenge before access is granted. Usually it is a 6 digit temporary code that changes every 30 seconds. Google authenticator, Authy and Toopher are just a few of the 2FA solutions Lastpass supports that are based on RFC6238 and RFC4226. There are other types of 2FA but these are the most common.

Read more