Bitwarden has two, RoboForm and Dashlane have four, and 1Password has none. It’s enough data to build an extensive profile around the most private information you store.Īccording to Exodus Privacy, other password manager don’t use as many trackers. The amount of data does seem to be extensive, revealing information about the device in use, the cell phone carrier, the type of LastPass account, and the user’s Google Advertising ID (used to connect data about the user across apps). That’s because trackers often use proprietary code that isn’t open for inspection. Kuketz says that including a tracking code of this type in a password manager (or similar security-focused app) isn’t acceptable, as the developers can’t be fully aware of what the tracking code collects. He discovered that the app reached out to nearly every tracker’s servers without asking permission first.įurther inspection doesn’t suggest that the trackers transferred any username or password data, but it does seem to know when the user creates a password and what type. So Kuketz followed up with network monitoring while setting up a new LastPass account. While Exodus Privacy confirms the presence of trackers, that doesn’t guarantee they do anything.
But what happens if that password manager is tracking what you’re doing and not even telling you? According to security researcher Mike Kuketz, the LastPass Android app has seven embedded trackers, and LastPass may not know what data they collect.Īs first spotted by The Register, Kuketz used tools from Exodus Privacy to examine the LastPass Android app and discovered seven trackers embedded in its code:
Like Authy and Microsoft Authenticator, the LastPass app also includes the ability to back up and restore configurations and to save manual backup codes in the LastPass vault.When it comes to account security, using a password manager is generally a good idea.
(For an overview of the technology, see "Better than the best password: How to use 2FA to improve your security.")Ĭompared to the bare-bones Google solution, the updated LastPass Authenticator offers a few usability advantages, including the ability to sort, search, and filter a long list of saved MFA providers. The new LastPass app should be familiar to anyone who's used similar apps like Google Authenticator or Authy. Microsoft similarly offered two authenticator apps, one for Microsoft accounts and the other for business and enterprise accounts running under Azure Active Directory, before releasing a unified Authenticator app in 2016. LastPass isn't the first technology company to make this sort of move.
The LastPass MFA app will continue to work for business customers that have deployed it, although the company expects those customers to migrate to the new app over time.
The updated app is available for Android devices today and should be available for iOS devices in the next week. According to Akhil Talwar, Director of Product Management for LastPass parent company LogMeIn, the availability of two apps was confusing to some consumer customers, who inadvertently downloaded the wrong solution. The new app, which is free for anyone, including LastPass customers with free accounts, consolidates functionality that was previously split into two apps, with a separate LastPass MFA app for business customers. The latest entrant is the widely used LastPass, which today announced the release of a new LastPass Authenticator mobile app.
That fact explains why the developers of password management software are creating tighter links between their products and MFA technologies. A separate report from Google from around the same time came to a similar conclusion. According to a 2019 Microsoft study, requiring the use of an additional authentication factor besides a password blocks 99.9% of automated attacks on cloud-based services. One of the most crucial steps in securing a modern business computing environment is to add multi-factor authentication (MFA), so that an attacker who steals credentials can't gain access to protected resources. The new LastPass app combines functionality for business and consumer customers