LastPass Security Incident
Many in the higher education community have been following the LastPass security incident on June 15th. It’s gotten some media attention, and two of the NET+ LastPass service validation campuses, Duke University and Harvard University both posted notices to their communities. The recent LinuxInsider article raised the issue of trust in online password vaults, and this seemed a good time to provide some more information about this NET+ service as well as to comment on a couple general points relevant to all cloud services.
LastPass is an online password vault used for managing logins and provides enterprise functionality for users to maintain good password hygiene across the web. LastPass’ design protects stored passwords in a security incident. LastPass described more how their secure design protects passwords in their blog post.
As part of the NET+ service validation, campuses evaluate the security of the service provider to ensure it meets their security requirements including how security is designed and integrated into the service. The campuses also weighed the various risks from reusable passwords, including the design of the service whereby LastPass doesn’t have direct access to the passwords, and the security documentation from LastPass. There is also a contractual requirement for NET+ service providers to notify Internet2 and the subscribing campuses when there is a security incident.
LastPass has been open with their customers and Internet2 throughout the recent security incident. Despite the incident, campuses view LastPass as an important addition to the NET+ Security and Identity portfolio because it is a good tool to support better password hygiene and complement campuses participating in the InCommon Federation. As a campus implements federated authentication and transitions to requiring one password or to using multifactor authentication, there will be some systems that cannot move to federated authentication for various reasons. Users will still need to remember multiple institutional and personal passwords. No security is perfect, but better support for good password hygiene is still needed to improve usability and reduce the risk from reusable passwords.
Campuses that use LastPass can also use another NET+ service provider, Duo Security, to further protect their password vaults from unauthorized access by enabling multifactor authentication.
Duke University, which sponsored the NET+ LastPass program, will provide insights into their LastPass deployment in two webinars on July 21st and July 23rd. In addition to Duke’s presentation, LastPass staff will be on-hand to answer community questions on the service.
Sign up for regular updates, strategies and resources to swiftly deploy user mobility in the cloud and NET+ news