Top-tier password manager LastPass (acquired by LogMeIn last Fall) is in the news again as Sean Cassidy, the CTO of Praesidio, outlined a phishing vulnerability of LastPass, as reported here. It is important to note that there were no reported breaches using this exploit, and that according to reports, LastPass has in part addresses the concerns raised. Some of the details are very specific to the LastPass implementation, but the essence of the vulnerability lies is the ability of rouge site to trick a user into entering their LastPass master password. In the worst-case scenario, this can lead to an attacker using the acquired master password to, as Cassidy reports “… download all of the victim’s information from the LastPass API. We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker’s server as a “trusted device”. Anything we want, really”.
passQi’s model is completely different. Although it automates login and two-factor authentication, it only stores passwords and tokens in the user’s phone, and moreover, never releases them except under the immediate interactive direction of the user. Any system with an API that can provide unattended access to a user’s credentials, and which moreover, can prompt a user to provide their master password within the target system, will be subject to all manner of exploits. Passwords are only decrypted from the mobile phone Vault within the Vault itself, based on local (smartphone) authentication by the user, and are only relayed to the target browser with a one-time encryption key that was generated “ad-hoc” on the target machine. There is no way that a user can compromise their primary vault by actions taken on the browser.
The passQi approach is by design more secure, and represents a next-generation approach to password management. Although implementations by various vendors will differ, those storing passwords in the cloud are liable to problems of this nature.