Hacker News new | ask | show | jobs
by alex- 1274 days ago
I initially assumed I would be safe because of 2FA. Sadly it looks like this is not the case, the second factor is used to access the encrypted data, not decrypt the data. As the attacker already has the encrypted data, they have bypassed the stage where 2FA is providing protection. This appears to also be the case for 1password and bitwarden, so not specifically a lastpass failure.
1 comments
mdaniel 1274 days ago
> This appears to also be the case for 1password and bitwarden, so not specifically a lastpass failure.

It is currently(?) the case for Bitwarden, yes, but that's incorrect for 1Password, as they have client-only key material that is never transmitted to the cloud: https://blog.1password.com/what-the-secret-key-does/

link
alex- 1274 days ago
Yes, a secret key like this could have made this breach much less concerning. Assuming you trust the company to not also lose this data (that they generate and claim to not store). What I was really hoping to find was a paid, cross platform, cloud sync'ed solution that can be setup to require your password and physical key to decrypt. i.e. have 2FA protection from a data breach like this.
link
mdaniel 1274 days ago
There's nothing that I'm aware of preventing one from putting the secret key material on a hardware wallet of your comfort level and having it type in the encoded value when signing onto a new device (the way the Yubikey pretends to be a keyboard when plugged in); obviously(?) 1Password is not incentivized to own such a complex workflow but there's nothing that I can see stopping you from doing it. FWIW they also support 2FA on login, which is different from the secret key to unlock the vault, so ... 3FA?

With regard to the "claim not not store" part, they've had multiple security audits including granting the auditor access to the underlying source code, so if there was something underhanded going on, I believe it would have gotten out by now: https://support.1password.com/security-assessments/

I'm with you that it's not as nice as open source clients, but given a choice between trusting 1Password with code I cannot see and trusting Bitwarden with code that I can see, I'm sticking with 1Password

link