8

So my vault (on mobile device) is encrypted with my Master Password. Without the Master Password, the decryption cannot happen.

There is an option to enable Fingerprint Authentication on the mobile devices. Obviously that is only done after you have provided the Master Password, and your vault is now "unlocked" (decrypted) locally on the device.

However, even if I restart the mobile device, I can log back in with just the fingerprint. So how can it decrypt my vault after restart with just the fingerprint?

Does the "unlocked" vault mean it is stored unencrypted on device's permanent (not RAM) storage? Is the fingerprint is just a security-theater, as someone can bypass the app and access the (unencrypted) vault directly on device storage?

Slav
  • 183
  • 4
  • Android or iOS? – Stephen Touset Nov 09 '17 at 19:24
  • @StephenTouset android, but how would that differ with iOS? – Slav Nov 09 '17 at 20:02
  • I don't know anything about Lastpass, but maybe it stores the key in the device's Trusted Execution Environment? – Ajedi32 Nov 09 '17 at 20:26
  • @Ajedi32 and that "Trusted Execution Environment" is absolutely safe from access by other apps? What about root? Or exploits? – Slav Nov 09 '17 at 20:27
  • @Slav No system is ever "absolutely safe". But yes, the TEE is isolated from other apps and from the OS: https://source.android.com/security/trusty/ – Ajedi32 Nov 09 '17 at 20:31
  • Lastpass does not know your master password and it never leaves the client, I think it's safe to postulate that the hash of the master password is stored inside the key mechanism on the OS then then release upon successful fingerprint authentication. https://enterprise.lastpass.com/wp-content/uploads/LastPass-Technical-Whitepaper-3.pdf – Jingo Nov 09 '17 at 20:34
  • 1
    @Nobeater thanks for the answer and link, unfortunately the link doesn't touch on mobile implementation details – Slav Nov 09 '17 at 20:43

1 Answers1

1

The mobile lastpass client stores your password in the device's key locker which, in theory, should only be accessible after you enter appropriate credentials. In this case fingerprint.

Of course, there is a massive difference between security on Android to iOS (in general anyway) and I'm not familiar with the Android implementations other than to say that many Android devices have no hardware based locker which potentially seriously restricts the level of security you could expect.

On iOS, this has been well tested and found to be very secure - hence the ongoing battle between Apple and the FBI.

When unlocked, the vault is maintained in memory. So in theory, it would be possible to gain access. However, it uses protected memory which should not be accessible to any other application. As iOS has a more secure and restricted base, this again is likely to be more secure there than on Android. Though perhaps an Android expert can give a more definitive answer.

The downside of securing lastpass with a fingerprint is that the USA's border control have decided that you can be compelled to provide a fingerprint but cannot be compelled to provide a password. This has been verified in the US courts.

When I travel to the USA, I remove all cloud services except those I don't care about. Certainly I uninstall lastpass and add it back later. That doesn't just apply to the USA of course.

Using a fingerprint is not just theatre but it certainly does reduce security. Not likely to be enough to worry most people though. Of course, I only use LastPass for less critical passwords. The most sensitive are kept in a separate vault accessed using a different cross-platform tool. That doesn't have fingerprint integration and I don't keep the vault open anyway unlike LastPass which I often have open.

Julian Knight
  • 7,092
  • 17
  • 23
  • Interesting note regarding using multiple password managers. I've considered using multiple Lastpass accounts (one always open for random stuff, one always locked for more secure sites), but it became too inconvenient. Care to share what other password manager you use? – Slav Nov 13 '17 at 14:29
  • Sure. I use Keepass as it is well audited and free versions are available on most platforms and it has fantastic automation capabilities including things like n letters from a password and security questions. PasswordSafe is another alternative possibly a bit simpler to use but not as powerful. – Julian Knight Nov 13 '17 at 21:18