Why 2FA was useless for LastPass
Last year ended with a scare for many LastPass users: Attackers managed to steal a data backup of LastPass customer data, parts of which are unencrypted. Since then the attackers have the opportunity to crack customers' master passwords in an offline setting.
One problem that is difficult for many to grasp is the ineffectiveness of the 2-factor authentication set up on LastPass - why can the attackers get at my data even though I have 2FA enabled? The culprit is LastPass' security architecture and the role that the master password plays in encryption.
The LastPass security architecture
In short, everything revolves around the master password. This is the one factor in LastPass security that is really used for end-to-end encryption. It is important to remember that the master password is chosen by the users. So it is never perfectly random, but contains patterns due to the human way of thinking. This brings us to the concept of key stretching, which is slightly more technical.
In encryption, key stretching is used to derive a key from the master password that is used for end-to-end encryption of the vault. LastPass uses the PBKDF2 key-stretching function with 100,100 iterations. The number of iterations tells how many times the encryption function is applied to the result to further encrypt it.
The Role of 2-Factor Authentication (2FA)
2-factor authentication is an optional setting that is available for all users that provides additional protection when accessing the LastPass cloud infrastructure. And this is exactly where the problem lies: 2FA is not part of the end-to-end encryption, which depends solely on the security of the master password. The attackers have taken advantage of this.
The attackers' approach
For us, the outcome of the story is enough: the attackers gained access to the cloud infrastructure, bypassing or exploiting protective mechanisms of LastPass employees. This allowed them to steal the customers' encrypted vaults and now they can work on decrypting them. The 2FA methods of the individual customers do not matter, the master password is the only hurdle.
As mentioned earlier, 2FA only protects access to the cloud, it is not part of the encryption. However, the attackers already had access to the cloud and were able to steal the data. In doing so, the attackers bypassed an employee's 2FA (see article above) to get to the vaults on the cloud. Now they can work "offline" to crack the vaults, making the customers' individual 2FA mechanisms useless.
Offline brute force for decryption
Offline, the attackers have the opportunity to try out an extremely large number of master passwords automatically via the brute force method. The only obstacle, or rather the slowing factor, is the key-stretching function. This is exactly what it was made for, however, regular adjustments have to be made to keep up with the ever-improving hardware of the attackers. PBKDF2 with 100,100 iterations is unfortunately very outdated, currently the OWASP Foundation recommends 600,000 iterations for PBKDF2 or to use the much better Argon2 as standard (LastPass updated to 600,000 iterations as of 1 March 2023). Argon2 is a newer key-stretching function that has been standardized by cryptologists since 2015.
An example of the effort that attackers have to put in: For a 12-digit user-generated master password, it is estimated that it would cost, on average around $100 USD to crack this password.
Solutions that prevent this from happening
There are various approaches to solving this problem. 1Password has introduced the "secret key" as an additional factor alongside the master password. This is a randomly generated string of characters that, unlike the human-generated master password, is not easy to crack. 1Password recommends printing out the Secret Key, as you need it when setting up new devices and it must not be lost. While this increases security, it introduces new problems: poorer user experience, poorer user acceptance, and an increased support burden.
heylogin does not require users to choose a master password. Instead, we generate the key for end-to-end encryption directly in the security chip of the user's smartphone. This key is not only 256-bit secure, but also perfectly random, containing no human patterns.
Encryption with 2FA and without master password
This leads us to the big advantage over the security architecture of LastPass or the variant of 1Password: this method includes 2-factor security in the encryption. The security chip in the smartphone must first be unlocked by the users biometrics when it is used. This is done by either PIN, face unlock or fingerprint. The number of incorrect attempts is limited, so it is not possible to try out an infinite number of PINs. Potential attackers must therefore not only physically steal the smartphone (1st factor), but also unlock the security chip with the 2nd factor. This is not only extremely difficult in itself, but the attack is also not as easily scalable as with LastPass, since you would have to steal and crack quite a lot of smartphones.
In conclusion, the attack on LastPass could at least be mitigated with more modern security measures, but the master password remains the biggest problem as a mechanism with human patterns and weaknesses. Until 2FA becomes a part of the actual end-to-end encryption, this attack can happen again.