LastPass CEO Karim Toubba has had a challenging year, to say the least. He was still settling into his new job when the company reported detecting “unusual activity” within a third-party cloud service shared by LastPass and its GoTo affiliate — its second reported breach in three months.
Since then, LastPass has been on a journey to rid itself of passwords. Toubba speaks with Security Weekly co-host Jeff Man about it during Black Hat 2023.
“We’ve released and built some capabilities to shore up our defenses and start to make investments toward passwordless,” Toubba tells Man.
LastPass used Black Hat as the backdrop to announce availability of FIDO2 authenticators, including biometrics such as finger print or face ID and hardware keys, for its passwordless login solution.
Toubba says this move allows LastPass customers to experience a seamless passwordless login to their vaults with the added security of FIDO2’s open authentication standard hosted by the FIDO Alliance, which is a widely adopted standard for many authentication and passwordless technologies.
LastPass’ passwordless login solution prompts users to select a primary authentication method: the LastPass Authenticator, biometrics (face and fingerprint ID), or a hardware key (USB key) to log into their LastPass vault, removing the need to enter a master password.
“With passwordless, we have our face and fingerprints,” he says. “Through personal devices, you can use biometrics as authentication instead of using a password.”
LastPass’ transition to passwordless will take years, he acknowledges, but “the question for us became whether we could create a passwordless experience to the user.” FIDO 2 compatibility enables that experience, he says.
This segment is sponsored by LastPass. Visit https://securityweekly.com/lastpassbh to learn more about them!
The full interview is above. Notable points along the way:
00:00 - Black Hat 2023 keynote with LastPass CEO Kareem Tuber
00:31 - Cyber: interesting, dynamic, and timing
01:02 - LastPass: Passwordless, evolving industry
03:34 - Traditional authentication paradigm benefits evolve over time
05:24 - Technology behind password lists protects against attacks
10:07 - Transitions to passwordless environments take years
13:40 - Organizations need to think about passwordless via multiple lenses
14:51 - Ease passwordless experience in applications