LastPass’s new cloud backup option – sunny skies or a brewing storm?

As eagle-eyed users of LastPass will have noticed, the company recently introduced a cloud backup option for the company’s popular smartphone Authenticator app.

Authenticator implements multi-factor authentication for LastPass and a range of third-party services supporting the Time-based One-Time Password (TOTP) algorithm such as Google, Facebook, Microsoft, WordPress, Dropbox, and so on.

It’s possible to do this from Google’s Authenticator app but, frankly, LastPass is better at it because it offers features such as one-tap push notifications which make using it quick and easy.

However, the convenience comes with a small pitfall for the unwary – what happens if the smartphone running Authenticator tied to a user’s account is lost or stolen?

Because the phone’s subscriber IMEI is paired to the service during enrollment, setting up a new one requires users to go back to square one, which means re-enrolling (or re-instating using backup codes) every single third-party service it was being used with.

What the new cloud backup option offers is a to dodge this hassle by backing up the multi-factor tokens to the LastPass vault in an encrypted state.

Doubtless, a few people will find this alarming – indeed, some do. Backing up multi-factor tokens to one place sounds risky because you are putting the multi-factor eggs in one basket. On the face of it, that goes against the point of multi-factor authentication – which is that there should never be one point of failure.

Or you could argue that putting tokens inside a password manager is no less secure than putting lots of passwords inside a password manager in the first place. Anyone wanting access to the vault will still have to get around both password and multi-factor security to gain access to critical data.

There is one hypothetical difference. If LastPass is somehow compromised for users not using LastPass Authenticator, the attackers have access to all the passwords plus a way of bypassing LastPass’s own multi-factor authentication. What they won’t have without the phone or a reliable man-in-the middle compromise is a way of compromising the subset of sites inside the vault that have multi-factor authentication turned on independently.

In theory – and it’s only “in theory” because the multi-factor backup is secured using the same security as any other LastPass data – anyone using Authenticator with multi-factor backup turned on might lose this defence in the same situation.

In the end, the argument in favour of cloud backup is that it’s a compromise designed to cope with the fact that multi-factor security doesn’t scale well. The technology is great for a handful of sites, but apply it to dozens and it starts to weigh people down in exactly the same way passwords do. Make reinstatement too onerous and people won’t use it at all.

Password managers were invented to manage lots of passwords people couldn’t remember in the same way that authentication apps manage lots of multi-factor systems that eventually slow people down.

LastPass is doing what its users have asked it to do. Security often edges its way forward by making these sorts of compromises without which we must revert to physical tokens, offline databases or paper and pen. As long as LastPass users know they have a choice.