MFA Is Going to Save You?

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Coffee

Member
Jan 14, 2023
10
2
Like many here, I'm a LastPass user facing many many many many password changes in my future. In trying to decode just how screwed LP users are with this latest breach, I've wondered about MFA's role in protecting our offline password vaults. Does it have one? I've heard from a colleague and read on this forum assertions that MFA will protect stolen password vaults. Yet, in several podcasts covering the most recent LP breach, I haven't heard MFA listed as a mitigation of attacks on user password vaults. It occurred to me that maybe MFA only protects us in an online attack scenario. Support for that theory is that (at least for LastPass) when offline access is allowed, and airplane mode is activated, there is no MFA challenge. I don't know if this is the case with other password managers, but I suspect that MFA can't help with offline attacks regardless of vendor. Does anyone here know for sure?
 
  • Like
Reactions: CredulousDane

miquelfire

I like red!
Sep 26, 2020
110
20
www.miquelfire.red
I think the only MFA that will protect your vault is the secret key system that 1Password (and only 1Password to my knowledge) uses. MFA normally will be unable to be used to add stuff to your encryption key for your vault, as they are mostly just OTP (one-time passwords). All MFA can protect you with is online attacks as you say.
 
  • Like
Reactions: Coffee

PHolder

Well-known member
Sep 16, 2020
997
2
443
Ontario, Canada
In trying to decode just how screwed LP users are
I've posted this math elsewhere, people don't seem to believe me, so I will post someone else's math now.

If your password was longer than 12 chars, and not in a dictionary, you're probably not screwed in any way. Still, cleaning up is a good idea, but maybe you don't need to be compulsive.
 

PHolder

Well-known member
Sep 16, 2020
997
2
443
Ontario, Canada
MFA will protect stolen password vaults
I think there are two things being conflated here.

Forget about your vault master password. MFA is not going to help protect your vault. It's too late for that. But MFA might help you if your vault had a weak password and gets cracked:

For any other password, that is stored IN the vault, if it has MFA and if the MFA info is also NOT in the vault, then that password should have some extra protection because the attacker should need your MFA credential to use it.
 
  • Like
Reactions: Coffee

Coffee

Member
Jan 14, 2023
10
2
Forget about your vault master password. MFA is not going to help protect your vault. It's too late for that.
Is that because MFA only protects against online attacks? In other words, don't allow offline access? Stolen password vaults aren't protected by MFA because that's just a control for access to the vault, and not decryption of that vault?

For any other password, that is stored IN the vault, if it has MFA and if the MFA info is also NOT in the vault, then that password should have some extra protection because the attacker should need your MFA credential to use it.
I considered storing all of my MFA info in another service. Then I thought about what a pain that would be with the initial setup and everytime I needed to change that information. Do you know anyone doing that, and have/did they keep it up for long? Maybe it's not as much of a pain as I was thinking...
 

Coffee

Member
Jan 14, 2023
10
2
I've posted this math elsewhere, people don't seem to believe me, so I will post someone else's math now.

If your password was longer than 12 chars, and not in a dictionary, you're probably not screwed in any way. Still, cleaning up is a good idea, but maybe you don't need to be compulsive.
If I follow you, then the iteration count of one is enough. My two accounts were set to 100.1K iterations, but I know people that had their iterations set to 5K. I have run into anyone personally with it set to 1.
 

PHolder

Well-known member
Sep 16, 2020
997
2
443
Ontario, Canada
Is that because MFA only protects against online attacks?
A second factor is normally (as in the way it is traditionally used in the industry) applied as a means to control how you use the first factor (the password.) It's not part OF the password. So if they have an attack that lets them extract the data/service/info protected, they don't need any password or MFA to get said access. In the case of LP, they got your vault without using your password or being blocked by any MFA you had in place along side of your master password.

If you think about it a certain way, a MFA that modified the password (thus being part of protecting the vault offline) would just be part of the password, and so wouldn't actually be MFA at all.
 
  • Like
Reactions: Coffee

PHolder

Well-known member
Sep 16, 2020
997
2
443
Ontario, Canada
storing all of my MFA info in another service
I use Authy. I dislike their attempt at lock-in, but I still like their product. It too has online synchronization though, so it could one day get hacked too, I guess. I just assume both hacks won't occur at the same time, and so I should have an opportunity to recover if I ever thought I was compromised.
 
  • Like
Reactions: Coffee

PHolder

Well-known member
Sep 16, 2020
997
2
443
Ontario, Canada
iteration count of one is enough
In general, with a long enough password, yes. More can be better, but there comes a time where the laws of large numbers are probably protection enough. Do you really care if your password could be broken in 10x the life of the universe versus 1000x ?

NIST has rules about comparing password strengths. They are normally applied to the keys and not to passwords, but if possible password combinations get larger than 2^128 that is equivalent to what they used to refer to "bank strength". They make these assertions based on the costs involved in theoretically brute forcing a decryption. In any of these assumptions, you need to assume your attacker's strength... but you can make such ridiculously large assumptions that there isn't enough silicon in the galaxy to build that many computers, let alone enough power to run them all. These kinds of assumptions are why I say you should make a quality pass phrase that is 25+ and you'll never lose sleep about the strength of your password again.
 
  • Like
Reactions: Coffee

Coffee

Member
Jan 14, 2023
10
2
A second factor is normally (as in the way it is traditionally used in the industry) applied as a means to control how you use the first factor (the password.) It's not part OF the password. So if they have an attack that lets them extract the data/service/info protected, they don't need any password or MFA to get said access. In the case of LP, they got your vault without using your password or being blocked by any MFA you had in place along side of your master password.

If you think about it a certain way, a MFA that modified the password (thus being part of protecting the vault offline) would just be part of the password, and so wouldn't actually be MFA at all.
Best explanation I've ever heard of MFA's part in authentication. Thank you!
 

Dave New

Well-known member
Nov 23, 2020
60
24
Is that because MFA only protects against online attacks? In other words, don't allow offline access? Stolen password vaults aren't protected by MFA because that's just a control for access to the vault, and not decryption of that vault?


I considered storing all of my MFA info in another service. Then I thought about what a pain that would be with the initial setup and everytime I needed to change that information. Do you know anyone doing that, and have/did they keep it up for long? Maybe it's not as much of a pain as I was thinking...
There are many different forms of MFA, and some of them would be convenient to store, say, in the notes field in your lastpass entry for that account, but others, by their very nature, require something else: SMS text messages, Yubikeys, and to a certain extent, OTP, although most OTP setups invite you to 'print out and store in a safe place' a set of one-use codes, which can of course, be conveniently stored in the notes field of your lastpass entry for that account. Something else that would be convenient to store in the notes field of your lastpass entry for that account - those pesky 'security questions'. The best way to handle those questions are to make up completely random answers and store those for future reference. The worse thing to do is to actually answer things like your first car, city you got married, etc. with real answers - those can be socially engineered.
 
  • Like
Reactions: Ralph and Coffee

Coffee

Member
Jan 14, 2023
10
2
In general, with a long enough password, yes. More can be better, but there comes a time where the laws of large numbers are probably protection enough. Do you really care if your password could be broken in 10x the life of the universe versus 1000x ?
OK, _this_ is why I haven't sweated too much about this LP breach or those in the past. My master password is random, between 15 and 20 characters long, and has four types of complexity.

I share some client info with a coworker. The recent attention given to iteration count was beginning to concern me. He had only 5K iterations at the time of the breach. Fortunately, his password was long.

I'll make the next version of my master password even longer.
 

Coffee

Member
Jan 14, 2023
10
2
There are many different forms of MFA, and some of them would be convenient to store, say, in the notes field in your lastpass entry for that account, but others, by their very nature, require something else: SMS text messages, Yubikeys, and to a certain extent, OTP, although most OTP setups invite you to 'print out and store in a safe place' a set of one-use codes, which can of course, be conveniently stored in the notes field of your lastpass entry for that account. Something else that would be convenient to store in the notes field of your lastpass entry for that account - those pesky 'security questions'. The best way to handle those questions are to make up completely random answers and store those for future reference. The worse thing to do is to actually answer things like your first car, city you got married, etc. with real answers - those can be socially engineered.
Agreed. I store all of those things in the notes field. It's really the only way to retain the mountains of confidential data we need to keep on ourselves, family member, and potentially clients.