To use this “Advanced Multi-factor Option” with Lastpass, I needed a premium account. With that said, I recently got myself some Yubikeys. In the diagram, we see that YubiKey is more secure, easy to use, and not phishable. Using U2F, authentication “magically” doesn’t work when it is a malicious site, even when the victim is tricked.īelow we see LastPass endorsing the use of YubiKeys. By using security keys and protocols such as U2F, you relieve some of this burden from the user. The user has the responsibility to distinguishing legitimate vs malicious sites. In a phishing attack, the weak point is the human user. “We have had no reported or confirmed account takeovers since implementing security keys at Google” We see success stories such as (2018, Google: Security Keys Neutralized Employee Phishing): How do we combat this? Aside from educating employees on phishing attacks, security keys are an effective way to mitigate this increased risk. This results in headlines such as “Phishing Attacks Increase 350 Percent Amid COVID-19 Quarantine (2020)”. Moreover, with the new remote working conditions, we are more at risk of phishing attacks. Instead of using a fancy new exploit to steal a victim’s credentials, the hacker just asks the victims to hand their credentials over. In recent years, phishing has proven to be one of the most effective ways of hacking people. This is the protocol that is likely used whenever you hear about security keys. how LastPass encrypts and handles your vault.Aside from that, I will give an overview of: I hope that this helps you appreciate that YubiKey ≠ U2F. In this article, I demonstrate how to deploy a phishing attack on LastPass users, even when they are protected with Yubikey physical keys.
LastPass doesn’t support U2F so this is disappointingly simple. I’ll say it upfront for the techy people: (un)fortunately, this is NOT a MITM attack of U2F*.
0 kommentar(er)
