
LastPass gives others access to your password vault in emergencies - svenfaw
http://www.zdnet.com/article/lastpass-revamps-password-management-software/#ftag=RSSbaffb68
======
hackuser
Note that it only allows access to people designated by the user. The user can
configure a waiting period between the emergency contact's request and access.

I can think of two ways this is implemented:

1) LastPass has a backdoor to users' data, and they use it in certain
conditions.

2) Ahead of time, emergency users are given credentials different than the
primary users' credentials. The emergency credentials are disabled except in
the emergency conditions.

#2 is much more secure but knowing typical end-users ability to retain
credentials, especially ones they aren't using, it seems like it would have a
high failure rate. Maybe they could use biometrics? But how would LastPass
physically collect biometric data? Not all phones have fingerprint readers,
for example.

~~~
svenfaw
Some technical details are discussed at
[https://helpdesk.lastpass.com/emergency-
access/](https://helpdesk.lastpass.com/emergency-access/)

~~~
hackuser
Hmm ... this doesn't look good:

 _With the Emergency Access feature, you can give trusted family and friends
access to your LastPass account in the event of an emergency or crisis. Your
designated Emergcy Access contact(s) can request access to your account and
securely receive the passwords and notes without knowing your Master Password.
You decide how much time should pass before they’re given access once they
request it, and you can decline access if it’s requested unnecessarily.

Emergency Access can also be used as an alternative account recovery feature,
if you worry about ever forgetting your master password and want to ensure you
have a backup way of recovering your vault.

...

Your Emergency Access contact must have a LastPass account. If they do not, we
will help you send them an invitation for them to join LastPass so that you
can add them as a contact._

~~~
nlawalker
Not to be snarky but you missed the most relevant part:

 _LastPass uses public-private key cryptography with RSA-2048 to allow users
to share the key to their vault with trusted parties, without ever passing
that information in an unencrypted format to LastPass. When Emergency Access
is activated, each user has a pair of cryptographic keys – a public key to
allow others to encrypt data for the user, and a private key that allows the
user to decrypt the data that others have encrypted for them._

 _The key used to encrypt and decrypt your vault data is encrypted with the
Emergency Access contact’s public key, and can be decrypted only with their
corresponding private key. When setting up Emergency Access, you are using the
recipient’s public key, encrypting your vault key with that public key, and
then LastPass stores that RSA-2048 encrypted data until it’s released after
the waiting period you specify. Only the recipient can decrypt the data, so no
one else can decrypt it without access to the private key of the recipient
you’re sharing it with, which is encrypted with their master password key.
This process is completely automated, with no action required by the end user,
and ensures that the data is inaccessible by LastPass or outside parties._

Basically, it sounds like LastPass has each client generate a keypair, store
the private key in the vault, and give the public key to LastPass for
distribution. I'm no security expert but it seems secure to me, at least as
far as LastPass is considered secure.

~~~
hackuser
I agree. That part didn't show up with JavaScript disabled, so my mistake.

------
aeharding
Also, a new UI that doesn't suck.

[https://blog.lastpass.com/2016/01/introducing-
lastpass-4-0.h...](https://blog.lastpass.com/2016/01/introducing-
lastpass-4-0.html/)

~~~
nlawalker
On mobile it still appears broken enough to essentially require the use of
their mobile app (and the corresponding paid premium membership) for anything
beyond extremely occasional access.

