LastPass announced a new cloud backup feature for its LastPass Authenticator (not to be confused with the LastPass Password Manager), which should remove some of the hassle of changing or resetting phones for its users.
Two-factor authentication seems to be gaining steam lately as more companies experience data breaches. Two-factor authentications come in multiple forms, such as an SMS code (not recommended anymore), Time-Based One-Time Password (TOTP) code, or a public key paired with a private key inside a hardware token.
Attackers can’t access your account when a second-factor protects it, even if they have your password. It’s usually significantly harder to gain your second-factor code than it is to get your password. They can gain the passwords in bulk in a data breach, whereas to gain your second-factor code, they need to hack you, specifically. Plus, they still need your password, too, to be able to enter your account.
LastPass Authenticator’s Cloud Backup
LastPass Authenticator's new cloud backup feature is opt-in, so users have to enable it in the app settings manually. It also works in conjunction with the LastPass Password Manager, which has to be installed first on a mobile device.
When the user enables the feature, the seed key of the QR code is stored on LastPass’ servers to remember all of the user’s two-factor authentication pairings for various websites. Thus, when the user resets or changes phones, those pairings can be retrieved from LastPass’ servers instead of the user having to go to each site to re-pair.
When the user launches the LastPass Authenticator on a new phone or a freshly reset phone, he or she will be asked to add a new account manually or restore from backup. According to LastPass, restoring takes only a few seconds, and then everything should work just as before.
LastPass said that the new cloud backup feature shouldn’t increase a user's level of risk and they should be able to use the LastPass Authenticator as a second-factor for the LastPass Password Manager, too.
However, it’s not usually a good idea to store everything in one place. Users who are worried about this may want to use a different authenticator to log in to the LastPass Password Manager itself while using the LastPass Authenticator for all of their third-party websites.