2-Factor Authentication and the new LastPass App
The new LastPass app claimed to improve the process, and the press coverage matched. Turns out, it’s basically a copy of existing technology and only an improvement for LastPass users.
I’ve been a big fan of 2-factor authentication for a few years. With all of the bad things on the Internet, another layer of security for email and financial sites is very worthy of the additional few seconds it takes to punch in a code, especially when most sites remember a particular computer for some period of time.
I started using 2-factor with the Google Authenticator app, and love that it can manage the codes for nearly all of the sites that use the second layer of security. This example only one code, but imagine the same block repeated down the screen.
The challenge with Google’s app comes from having multiple sites on the same screen — you have to scroll, read the account name carefully, and then enter the code on the website (made a little easier by copy-paste on mobile).
I was first sad then happy when I started using Duo Mobile for a site that wouldn’t work with Google. Sad to add another app, especially a duplicate. Happy when I realized that they used push notifications! When you sign in on the site with the Duo Mobile integration, the app sends a notification, and clicking on it takes you to a screen where you can approve the login with one click. The only downside is that the site I use doesn’t indicate that it’s waiting for a 2-factor authentication, so sometimes I forget. That’s probably easy to fix with a more robust integration on the site, or even just some dynamic code on the site activated by a button click.
With those apps in active use, I was really excited to see that LastPass released a new authenticator app that promised “one-tap login.” The notification came at an interesting time: I just signed up for Dashlane Premium (referral link) after deciding that their UI is much better than LastPass. If push notification authentication was on the table, I would reconsider.
Turns out, the one-tap login only works for LastPass. It doesn’t work for any of the other sites that the app supports, and that means back to a long list of codes — no improvement. They weren’t secretive about it; this line was included in their blog post (though almost at the bottom):
Note that push notifications are available for logging in to LastPass accounts only.
LastPass got some great publicity out of this launch. Take this headline and coverage for example:
LastPass Authenticator for iOS launches to improve the two-factor authentication process (9to5Mac)
LastPass Authenticator looks to improve that experience [of entering codes] by allowing users to quickly approve the new login requests directly from their devices.
In reality, the new app is an awesome improvement for LastPass users, and otherwise basically a copy of existing technology.
Now I’m curious. Is there a technical limitation or hurdle that makes it harder to push a notification after I click login so I can authenticate with just a tap on my phone — or, even better, on my iOS Touch ID? A general app with that would actually improve the process, and possibly bring a whole new group of people to a higher level of security. Perhaps LastPass is working on that, and all of the coverage will be deserved!
