LastPass hack reinforces importance of using multi-factor authentication
LastPass was the victim of yet another hacking attempt. This should come as no surprise, since password aggregators hold the keys to millions of other online resources.
Every password and identity aggregator is a top target. That's a given.
And yet, millions of users rely on password management tools simply as a result of the need to keep up with the overwhelming number of online resources we all find ourselves using.
No doubt, the LastPass hack was bad, but it's far worse for one group of users than another. Some of LastPass' users only use a user name and password (in other words, something you know). Another group of LastPass users add to that a multi-factor authentication mechanism that will only unlock an account when in possession of an unlocking device or code (that's something you have).
Let's break that down a bit more. LastPass offers a number of different second factor authentication methods. These methods, whether a USB key or a smartphone app, require users to not only enter the user name and password, but also a one-time identification key.
That extra authentication factor is a lock-block to hackers. Let's say a hacker in Romania (yes, I'm just randomly picking on Romania) finds out your user name and master password as a result of this breach. All he needs to do is enter that into LastPass and he has access to all your accounts.
But now, let's say your account was set up to also use Google Authenticator or another second factor of authentication. Even if the hacker has your user name and password, he has no way of knowing your multi-factor authentication code because it's tied to your smartphone and only exists for a short period of time. The hacker is completely blocked.
So, let's make this clear: user name + password + hacker = pain. User name + password + a second factor of authentication + hacker = no joy for the hacker.
Like with most online services, LastPass included, there's no additional fee to using multi-factor authentication. So there's absolutely no reason you shouldn't be using it. If you haven't used it before, now is the time to start.
Before I sign off from this little note, here's a video from the always-helpful Patrick Norton and Shannon Morse taking you through the process of setting up LastPass with Google Authenticator. Watch it. Note: the LastPass section starts at timestamp 16:34. The clip below should start there, but if not, you can scroll on in (unless you want to watch some fun stuff about quadcopters).
No excuses. Everything that's important to you online depends on your willingness to learn how to set up and type in a little code. Do it!
By the way, I'm doing more updates on Twitter and Facebook than ever before. Be sure to follow me on Twitter at @DavidGewirtz and on Facebook at Facebook.com/DavidGewirtz.