LastPass & 2 Factor Authentication - doesn't matter?

I had 2FA turned on for LP but I am being told that it doesn’t matter regarding the breach. I thought 2FA helped protect your vault?? If not, what is the purpose of using 2FA?



1 Like

I just saw that Leo says 2FA doesn’t protect your vault. So again, I’m not exactly sure what it protects?

You have to understand the transaction that is taking place. If you’re using data locally, there is nothing to stop you from accessing it, so 2FA doesn’t apply. If the bad guy stole your data, and had access to it locally on his system, 2FA is not going to stop him. The 2FA is NOT part of the protection of the encryption on the vault. If the attacker was trying to access your vault via the LastPass site, then the 2FA would be a barrier. So 2FA is only a barrier if the online service with your data isn’t incompetent (as I would argue LastPass was) and manages to keep your data from escaping.


Perhaps a metaphor will help. Your LastPass data is in a safety deposit box at a bank. Normally the only way to access it is with the manager using his key to open the vault, and you use your key to remove your box and take it to a private room to open. So your key is the master key for your box and the manager’s key is the 2FA. Now imagine someone comes along with a bulldozer and knocks open the vault. They bypassed the 2FA, but your master key is still [theoretically] required to open your box.


Exactly, the 2FA is there for the cloud access, which should be the only way to access the vault, if the service is doing its job properly, other than gaining access to your local device. If the data hasn’t been stolen, it is very important that you have 2FA turned on with the cloud service.

If the cloud service itself is breached, all bets are off, as you rightly point out, is the case with LastPass.


Thanks. All of this helped a lot. Are there any password managers out there that use 2FA to protect the data/vault itself? I am guessing that might be almost impossible since the vault is static, right? If I understand correctly, 1Password kind of has this but you have a master password and a static security key, correct?

That is correct. 1Password generates (locally) a master key and you generate your password and you need both to decrypt the safe. I believe 1Password only stores the first and last 4 digits online to prompt you for the secret, when setting up a new device, so that you know what sort of number you are looking for.

1 Like

When he said that, he was just referring to LP 2FA, correct? Accounts within LP with 2FA would still be protected by 2FA I would assume.