
Bypassing LastPass’s “Advanced” YubiKey MFA: A MITM Phishing Attack - CtrlAltT5wpm
https://pberba.github.io/security/2020/05/28/lastpass-phishing/
======
CtrlAltT5wpm
This point, mentioned in the article, bears repeating, especially if you
aren't familiar with Lastpass or their 2FA:

Lastpass uses Yubico's one-time password, which is more similar to TOTP than
it is to FIDO's U2F (which Yubico had a hand in). Lastpass has had this for
YEARS, long before U2F was even a thing, or before Lastpass was bought by
LogMeIn.

10 years or so ago (back when I was a paying user of LP), the Yubico OTP was a
really nifty bit of security, and probably state-of-the-art, at least to a
user like me. Now, not so much. I don't know if this feature has a future, or
if there are any plans to phase it out, since U2F is more secure. I'm not sure
if there are really any existing applications for it, but this isn't my field
of expertise; there might be something novel that can be done.

What I DO know is that users of Lastpass have been asking for U2F as an option
for several years now, with no real movement on LP's part. If a one man outfit
like Bitwarden, or a famously reticent company like 1Password, can implement
U2F, Lastpass has no excuse (to be fair, 1Password's reluctance to implement a
second factor was understandable when they didn't have a cloud component in
their software).

Unfortunately, the only thing that will likely move LP is if Yubico announces
they're dropping the OTP feature entirely.

