LastPass has resolved a number of issues with its two-factor authentication (2FA) implementation, after being alerted to the issues by Salesforce security researcher Martin Vigo. The company said the problems are now resolved, and users do not have to take any action. “To exploit this issue, an attacker would have needed to take several steps to bypass Google Authenticator,” LastPass said in a blog post. “First, the attacker would have had to lure a user to a nefarious website. Second, the user would have to be logged in to LastPass at the time of visiting the malicious site. This combination of factors decreases the likelihood that a user might be impacted.” According to Vigo’s write-up, he discovered that Lastpass was using a hash of a user’s password to generate the QR code that is used to set up 2FA on a user’s device.
ORIGINAL SOURCE: ZDNet
from Researcher Finds LastPass 2FA Could Become 1FA