[zupzupper]

LastPass produces two apps, the Password Manager and this Authenticator App, which looks like a 2FA competitor to Google Authenticator.

The bug the article is detailing is in the Authenticator application, not the Password Manager application, which wasn't very clear to me on my first read.

[ufmace]

Thanks for the clarification. This reveals a couple of other points.

This flaw is that the fingerprint/PIN auth for their TOTP authenticator app can be bypassed by manually launching one of the app's activities. This is a separate auth layer over the phone's screen lock. The first exploit path here is thus that if a malicious user gets access to your unlocked phone, they could install one of these activity opener utilities and access this app's TOTP code screen. That gets them the current TOTP codes, but not the secret for generating them. Note that this is currently the security level that Google's Authenticator app already has.

The other, which I'm a little less clear on, is that a malicious app gets installed somehow, it launches the activity, and manipulates the UI to hit the buttons and read the screen to get your current TOTP codes. I think Android apps' abilities along these lines have changed around several times between Android versions, and I'm not sure which version does what, but I think the current version requires the user to set a special checkbox in settings for an app to be able to do these things. If you can get a user to do that for your malicious app, it can do all sorts of bad things.

In both cases, the attacker would be getting current codes, not the secret, which would still be locked away safely in the app's storage. So while this flaw is kind of bad and should be fixed, it doesn't have me running for the hills, esp. since I don't even use this app.

[banachtarski]

Now I'm confused. It says it in the title? Where might the confusion stem from?

[scarhill]

If people don't know that LastPass has a 2FA app, they might think LastPass Authenticator is the password manager app, and is affected by this bug. As a matter of fact, a number of commenters seem to think exactly that.

[banachtarski]

Right but I guess to me "password management" and "authentication" are two entirely separate concepts (i.e. authorization vs authentication being separate English words).

I can authorize someone to do something. I authenticate that a person is who he or she claims to be.

[Belphemur]

The combo username password authenticate the person as much as it authorize them to access the service.

Different meaning but connected nonetheless.

[Someone1234]

It only says it in the title if you're already familiar with Lastpass's apps offerings.

I happen to be familiar so I can read "LastPass Authenticator app" and know it is referring to their 2F/Google Authenticator competitor. But in the general sense Lastpass "Authenticator" could be the name of their password manager for all people know.

It could be titled e.g. "Lastpass's two factor authenticator app is insecure." Still accurate but also less vague for people unfamiliar with Lastpass's different apps.

[bitdivision]

Most people will only use the password manager app. I didn't realise they make a different authenticator app and assumed that this was about the password manager.