I finally signed up for LastPass Premium after years of using the free version of that password-management service. And I’m starting to regret that expense even though $2 a month should amount to a rounding error.
Instead of that minimal outlay, I’m irked by LastPass’s implementation of the feature I had in mind when typing in credit-card digits: support for Yubikey U2F security keys as a form of two-step verification.
Using a security key–Yubikey being one brand, “U2F” an older standard, “WebAuthn” a newer and broader standard–allows two-step verification independent of both your wireless carrier and your current phone.
Paying for LastPass Premium allowed me to use that. But what I didn’t realize upfront is that LastPass treats this as an A-or-B choice: If you don’t have your Yubikey handy, you can’t click or type a button to enter a Google Authenticator code instead as you can with a Google account.
If multiple Authentication methods are used, only one will activate per login attempt. If you disable one, then another will activate on the next log in attempt. Because only one activates at a time, you cannot have multiple prompts during the same log in.
The reality you see if you happened to leave your Yubikey at home or just have your phone closer at hand: an “I’ve lost my YubiKey device” link you’re supposed to click to remove that security option from your account.
This absolutist approach to two-step verification is not helpful. But it’s also something I should have looked up myself before throwing $24 at this service.
My overdue update to this guide to LTE hotspots endorsed a Verizon model and gave a secondary endorsement to an AT&T hotspot with lesser battery life. We then revised the update after it posted to note that the Sprint reseller Karma had downgraded an initially-promising unlimited-data option.
The easy answer to Microsoft’s end of support for older Internet Explorer versions is “install IE 11.” But that browser isn’t the same app in Windows 7 as it is in Win 8 and 10, and updating your browser doesn’t end your Web-security chores.
At the start of this week, I had different topics in mind for each of these two columns, and then things happened. I also made a quick run up to New York Thursday for a few tech events, then wrapped up the visit with a pilgrimage to the top of One World Trade Center. I’ll repeat the D.C.-NYC trip tomorrow but will stick around longer–CE Week runs Tuesday through Thursday.
I had filed a different column by the time my editor and I separately decided: Hey, this news about a password-manager service’s security breach is column-worthy. After this piece went up, LastPass updated its original blog post with a clearer explanation that’s worth reading.
In this case, I hadn’t filed anything–I couldn’t, because I was waiting for an answer to a reasonably simple technical query from a company that had already exhibited… let’s say, a slow PR metabolism. Fortunately, a reader had e-mailed a question that I could answer without needing any spokespeople to chime in first. It didn’t hurt that the headline came to mind almost instantly.
On one hand, I’ve seen a variety of reader reports–more in reader e-mail and in comments on the post I wrote here first to see if this was a wider problem as well as on the Facebook page post in which I shared the column than in comments on the column itself–of other Verizon login failures.
On the other hand, Verizon is now thinking that this is related to my using LastPass. My PR contact there said that one of his colleagues had noticed the screenshot in my post here revealed that I use that password-manager service and suggested I try disabling its extension in the problematic copy of Safari.
I thought that a somewhat ridiculous suggestion, since each time I’d typed in the password instead of letting LastPass enter it for me. But once I did that, I could log in normally. And when I enabled it again, I got the same login failure as before. There’s correlation here. Causation? I don’t know.
I e-mailed LastPass’s CEO Joe Siegrist (not because I thought this a CEO-level issue, but because we met a few years ago and I’ve always found him quick to reply to a query) to ask his people to look into things.
If they can reproduce and, better yet, document a problematic interaction, that would be good to know and a good thing to add to the column. If they can’t (a distinct possibility considering that the guy I quoted in the column having a similar problem, PhoneScoop editor Rich Brome, told me he doesn’t use LastPass), the mystery will continue.
In the meantime, I’ll throw this question out there: If you use LastPass, have you seen any other cases of a login with a valid password failing?