The latest in a line of what-used-to-be-free but is now tightening its belt is LastPass, an excellent password manager that has a lot of users but may end up with a good few fewer. The day after the Ides of March, LastPass Free will only allow use on a single device type, so if you currently use it to sync passwords across desktops and tablets or mobiles, then you need to start paying (and maybe you should) or stick to either mobile or desktop. As soon as the company announced its plans, the web sprung up many articles offering “what is the best alternative to…” type advice. Only a few weeks ago, ToW#561 espoused the virtues of cleaning up your passwords, featuring LastPass and also trailing some features that were coming to an alternative that you might already be using to provide 2 factor authentication on your phone – Microsoft Authenticator. It’s fairly easy to switch to using Authenticator on your device to also sync passwords and to provide the Auto-Fill function which plugs in usernames/passwords not only to sites on your mobile browser but to other apps too. If you already have a load of passwords set up in LastPass or other locations, there are methods to export them and then import the data into Authenticator. In the case of LastPass, you sign into the Vault (either through the browser plugin or directly on their website) and under Advanced Options, select the Export function. It will immediately drop a lastpass_export.csv file into your Downloads folder; be very careful with this file as it contains all your usernames & passwords in clear text.
Now navigate to your Downloads folder and choose the lastpass_export file. It might take a little while to complete, but when it’s done, make sure you go back to the Downloads folder and The LastPass browser extension (like other password managers) remains potentially useful on the desktop as it can help to sync passwords between profiles (eg the Work and Personal profile of Edge, if both have the extension installed and logged in using the same LastPass account), or even between browsers – in the cases you might want to use Chrome for some things and Edge for others. Edge on the PC does have password sync capabilities, though not quite with the same level of flexibility – Edge will let you sync passwords, favourites etc if you’re using a Microsoft Account (eg outlook.com) for your Personal profile, and it may do if you have a Microsoft 365 account for your Work Profile. In a twist of fate, if you pay for a Microsoft 365 Family or a small business environment rather than using the free Microsoft Account, your subscription lacks the Azure Information Protection feature that is required to allow syncing. In which case, a 3rd party password sync feature may be your best option, even if you choose to use Authenticator on your mobile device, and perhaps do a periodic export/import from LastPass to keep your mobile passwords in sync. Or best of all, just install the Autofill extension into multiple profiles (or Edge & Chrome), signing into the extension using the same Microsoft Account, to keep the passwords in sync. Tidy. |
Tag: 2fa
556 – Using MFA more widely
So 2FA – or its cousin, Multi-Factor Authentication (MFA) – is a better way to secure things, as a remote system can validate that the user knows something which identifies them (their username & password, secret phrase, date of birth etc etc) but also has something that identifies them too; a security token, smart card, digital certificate or something else that has been issued, or even just a mobile phone that has been registered previously with whatever is trying to validate them. Although such systems have been around for a while, the average punter in the EU has been more recently exposed to 2FA through a banking directive that requires it for many services that involve transfer of funds, setting up payments or even using credit cards. In some cases, the tech is pretty straightforward – you get a SMS text message with a 6-digit one-time code that you need to enter into the mobile app or website, thus proving you know something (you’re logged in) and you have something (your phone), so validating that it really is you. Or someone has stolen your phone and your credentials… MFA is stronger than 2FA, as you can combine what you know and what you have, with what you are. An example could be installing a mobile banking app on your phone then enrolling your account number, username & password; the know is your credentials, and the have is a certificate or unique identifier associated with your phone, as it’s registered as a trusted device by the banking service that’s being accessed. Using your fingerprint to unlock the app would add a 3rd level of authentication – so the only likely way that your access to the service (for transferring funds or whatever) could be nefarious, is if you are physically being coerced into doing it. 2FA and MFA aren’t perfect but they’re a lot better than username & password alone, and Microsoft’s @Alex Weinert this week wrote that it’s time to give up on simpler 2FA like SMS and phone-call based validations, in favour of a stronger MFA approach. And what better way that to use the free Microsoft Authenticator app? Once you have Authenticator set up and running, It’s really easy to add many
In the Microsoft Authenticator app itself, add an account from the menu in the top right and then choose the option that it’s for “other” – presuming you’ve already have enrolled your Work or school Account (Microsoft/Office 365) and your Personal account (MSA, ie Outlook.com etc). After tapping the option to add, point your phone at the QR code on the screen and you’re pretty much done; you’ll need to enter a one-time code to confirm it’s all set up – rather than getting an SMS, go into the list of accounts in the Authenticator app home screen, open the account you’ve just added then enter the 6-digit code that’s being displayed. This is the method you’ll use in future, rather than waiting to be sent the 6-digit code by text. As you can see from the description, there are lots of other 3rd party apps and websites that support MFA using authenticator apps –
|