Tag Archives: 2FA

LastPass shows how to do two-step verification wrong

Posted on by
5

I finally signed up for LastPass Premium after years of using the free version of that password-management service. And I’m starting to regret that expense even though $2 a month should amount to a rounding error.

Instead of that minimal outlay, I’m irked by LastPass’s implementation of the feature I had in mind when typing in credit-card digits: support for Yubikey U2F security keys as a form of two-step verification.

Two-step verification, if any reminder is needed, secures your accounts by confirming any unusual login with a one-time code. The easy but brittle way to get a two-step code is to have a service text one to you, which works great unless somebody hijacks your phone number with a SIM swap. Using an app like Google Authenticator takes your wireless carrier’s security out of the equation but requires regenerating these codes each time you reset or switch phones.

Using a security key–Yubikey being one brand, “U2F” an older standard, “WebAuthn” a newer and broader standard–allows two-step verification independent of both your wireless carrier and your current phone.

Paying for LastPass Premium allowed me to use that. But what I didn’t realize upfront is that LastPass treats this as an A-or-B choice: If you don’t have your Yubikey handy, you can’t click or type a button to enter a Google Authenticator code instead as you can with a Google account.

A LastPass tech-support notice doesn’t quite capture the broken state of this user experience:

If multiple Authentication methods are used, only one will activate per login attempt. If you disable one, then another will activate on the next log in attempt. Because only one activates at a time, you cannot have multiple prompts during the same log in.

The reality you see if you happened to leave your Yubikey at home or just have your phone closer at hand: an “I’ve lost my YubiKey device” link you’re supposed to click to remove that security option from your account.

This absolutist approach to two-step verification is not helpful. But it’s also something I should have looked up myself before throwing $24 at this service.

Advertisement

Weekly output: Virgin Mobile USA Inner Circle, Microsoft on security, D.C. tech media, Sprint Flex, SMS two-step verification

Posted on by
1

This week involved a large tech conference, but I didn’t have to go any farther than D.C. for it: Microsoft Inspire ran from Monday to Wednesday at the convention center, with the morning keynotes held at the Verizon Center. The event yielded one post, an idea for another and a sweaty evening at Nationals Park Wednesday, the location of the Carrie Underwood concert that closed out the gathering.

7/10/2017: Virgin Mobile’s iPhone-only plan: What’s the catch?, USA Today

This snakebit column required not one but two corrections. The first remedied my mistake in reading “$1” as this Sprint prepaid brand’s promotional monthly rate when it was the cost for the entire first year of service; minutes later, I saw a reader comment calling out my dumb error in writing “megabits per second” instead of “kilobits per second” when describing a streaming speed limit.

7/12/2017: Microsoft reveals two big ways to stop ransomware attacks, Yahoo Finance

Microsoft president and chief legal officer Brad Smith’s keynote Wednesday called for collective action to stop ransomware and other malware outbreaks. But getting companies and organizations to end their long-running abusive relationship with Windows XP won’t be easy; neither will persuading governments to stop hoarding vulnerabilities in favor of promptly disclosing all of them so they can be fixed.

7/12/2017: Working with Tech Media in the Washington D.C. Region, Washington Network Group

I spoke on this panel with the Washington Business Journal’s Andy Medici and FedScoop’s Tajha Chappellet-Lanier (a fellow Washingtonian Tech Titan honoree) about coverage priorities, tech trends and PR pet peeves. Once again, I implored publicists not to follow up by re-sending the original e-mail topped by nothing more than “Any interest?”

7/14/2017: Sprint doesn’t want you to buy your next phone, Yahoo Finance

Sprint gave me an advance on this, but its PR pitch for its new Flex leasing deal didn’t spell out that this move would also end Sprint’s installment-payment pricing on phones. Because I’m slow, I needed a couple of rounds of Q&A to grasp that difference. Sprint, in turn, didn’t clarify the international-unlocking policy under Flex until Friday morning, after its embargo on the news had passed but before it had posted its own press release.

7/14/2017: How a system meant to keep your money safe could put it in danger, Yahoo Finance

I expected to see everybody else jump on this story of a PayPal customer losing money after an AT&T rep let an unknown attacker move his number–the last line of defense on his PayPal account–to a new SIM, since I learned about it on Twitter a week earlier. Instead, I had time to quiz PayPal, AT&T and others; verify that a no-longer-advertised phone-free form of two-factor authentication still worked at PayPal; and have an enlightening chat with Google security product manager Stephan Somogyi about the tradeoffs of different “2FA” methods.

Weekly output: HBO and cord cutting, wireless carriers, two-step verification

Posted on by
Reply

This week involved many meetings, but that was okay–I spent a couple of days in New York catching up with my Yahoo Tech colleagues, getting updates about how we’ve done and hearing about future plans. I also successfully installed OS X Yosemite on both of my Macs and cheered on a friend running the Marine Corps Marathon for the first time. Overall: not a bad seven days.

Yahoo Tech post on HBO10/21/2014: Will Sports Learn from HBO’s Grand Online Experiment?, Yahoo Tech

This is a column I’d wanted to write for the past few years, but until recently I didn’t think my chance would come until maybe 2016. The photo illustrating my musings on HBO’s move to sell online-only viewing was an idea that came to me at the last minute, as I was flipping through the paper at the dining table; if only the words could pop into my head so quickly!

10/21/2014: This Is the Best Wireless Carrier for You, Time

The condensed edition of my Wirecutter guide to wireless carriers has run at a few other places (for instance, Fast Company posted its version Sept. 21), but I was tickled more than usual to see it land on the site of the newsmagazine I read almost every week in high school.

10/26/2014: Security update: AOL learns to two-step, and why your ISP may not, USA Today

A friend sent an apologetic e-mail about his AOL account getting hacked (yes, I have some pals who continue to use the site); I was going to tell him to turn on two-step verification and then realized I couldn’t; inquiries with AOL PR led to me breaking the (not-quite-huge) news that it will soon offer two-step verification once again.