12

I'm using lastpass and I would like to implement a 2FA in my account, but I don't know which one is the most secure, a software authenticator such as google authenticator or an USB device as Yubikey.

Since there isn't any password manager which has 3FA, I'm a little confused which one is the most secure.

Thanks

user26832
  • 267
  • 2
  • 6

1 Answers1

12

Google Authenticator is pretty secure. Certainly better than nothing, and in fact better than most of the options out there.

Yubico OTP devices are slightly better, because it's more difficult to extract the keys out of a Yubico device than a cell phone.

That said, neither is perfect because both are OTP-based and therefore both can be phished. This is a vulnerability that is today being actively exploited by groups like the Syrian Electronic Army, and is the cause for a number of high-profile breaches.

There is a solution which can't be phished, but as of this writing, LastPass doesn't support it. So while I still recommend using your Yubikey or Authenticator code as a second factor, I would caution you to not let your guard down in its use, because you're still vulnerable to phishing.

tylerl
  • 82,665
  • 26
  • 149
  • 230
  • 3
    You can also use the yubikey authenticator to get 3FA. It is a google authenticator clone which requires your yubikey to unlock. – bjarkef Nov 02 '15 at 11:11