Authenticator App Lastpass

• Apple App Store Lastpass Authenticator
• Authenticator App Lastpass Download
• Authenticator App Lastpass App
• Lastpass Authenticator App For Windows
• Microsoft Authenticator App With Lastpass

LastPass supports many two-step authentication apps. Enable it for your accounts. Many websites and apps, including banks, social media, email, password managers, and more, offer the option to turn on two-factor authentication. In your account settings, look for security options and turn on two-factor authentication. Open the LastPass Authenticator app on your mobile device. Tap the Options icon in the toolbar. Toggle on the switch to enable the option Backup to LastPass. When prompted, tap Open LastPass to open the LastPass Password Manager app.

• LastPass Authenticator is a multifactor app for iOS and Android mobile devices.
• As far as the specific LastPass authenticator app is concerned, it's a breeze to use: It can work with SMS messages and push notifications for your logins, as well as generating codes, and it will.
• To set up the LastPass Authenticator app (to use for authentication when accessing your LastPass Vault), download the app on your mobile device then begin the enrollment process. Before you begin: Complete the steps for configuring your LastPass account before proceeding.

TL;DR

If you want to export all TOTP's from the LastPass Authenticator app, use this script.

Introduction

I've been an avid user of LastPass for a few years now. However, they decided to no longer support more than one device type, unless you pay a hefty fee. I use LastPass on both my laptop and Android phone, so that would become a problem. I started looking at alternatives.

Switching to another password manager

Switching password managers is simple enough. LastPass offers an export feature, and other managers offer import features. Moving passwords over takes less than five minutes.

Unless you also use LastPass Authenticator for your 2FA tokens. For some reason there is no official way to export all saved tokens from that app. The official advice is 'disable it for all your accounts and re-enable it with a new 2FA application'. Yeah, no.

Apple App Store Lastpass Authenticator

The LastPass Authenticator app does support 'backup up' all your 2FA codes to your LastPass vault though:

This made me think. Maybe we can get our hands on that backup and use it? Let's find out!

Getting at the Android app

This is the part were most tutorials tell you to go to some shady 'apk downloader' website to download the APK's you want to examine. However, there is a much easier approach if you have an Android phone and adb. It doesn't have to be a rooted phone. You don't even have to connect it to your PC via USB. Simply enable both 'USB debugging' and 'Wireless ADB debugging' in the developer menu. Also check out the developer documentation for more detailed instructions. Then, simply connect:

Then, test connectivity:

Now you can ask the phone for a list of all applications installed and filter for the one you want:

You can now use the package name to get the path to the APK on the phone:

And then pull it to your machine:

And there you go. Guaranteed 1:1 Google Play matching APK's.

Inspecting the application

Now, at this point it might the fair to mention that I wasn't setting out on a big research project. I just wanted my original TOTP secrets. And fast. My initial plan of attack was to simply load the frida gadget into the authenticator app and install it back on my phone.

So I grabbed a recent copy of the excellent Objection toolkit by SensePost. This toolkit has a built-in command for injecting the frida gadget into an APK:

Do keep in mind that it needs these tools available in your path to function properly:

• adb
• aapt
• apksigner
• apktool
• zipalign

So make sure you have those properly set up. Now it's simply a matter of uninstalling the old version, and installing the patched one. Again, you can use ADB for this:

Now start the patched authenticator app and see if it worked by typing objection explore:

You can also use vanilla frida to connect:

Note that the application will hang until you connect to the gadget. Also, it will classify your phone as a 'USB device' even though it's connected through WiFi.

Small setback

Normally this would be pretty straight forward from here. Intercept traffic, hook functions, done. But not in this case. The authenticator app relies on the actual LastPass main application for authenticating to your vault, and authorizing it to upload and download backups.

The main application also relies on the Google Play services, so a vanilla emulator wouldn't work.

Lastly, The main LastPass application would refuse to authorize the authenticator app if it detected tampering with the authenticator app (which I was doing to load in the Frida gadget).

After some trial and error, I settled on using the Genymotion Android emulator. It does require an account, but it's free for personal use. It also offers a one-click installation of 'Open GApps' and it's virtual devices are rooted by default.

Bonus: I could just install both apps from the Play store. Do keep in mind that it uses VirtualBox under the hood, so enable nested virtualization if you're running this inside a VM.

Hooking functions

Authenticator App Lastpass Download

Because the emulator offers rooted images out of the box, there was no need to inject the Frida gadget into individual applications. Just transfer frida-server to the emulator and run it as root.

Download frida-server with the correct architecture first:

See the download page here for the latest version. The Genymotion emulator architecture is x86. Then, uncompress the archive:

Transfer it to the emulator:

Mark it as executable and run it (as root):

Finally, do a small test in a new terminal window to see if it works:

If all went well, you can now inject into any application on the emmulator without patching individual APK's.

Setting a proxy and intercepting traffic

Authenticator App Lastpass App

This is a step I see most people struggle with, so let me share my default way of easily getting the traffic from an android app through Burp Suite.

1. Create a reverse port forward via adb:
2. Set a global proxy to that port forward:
3. (Optional) Install the Burp Suite CA certificate as you normally would. A small piece of advice, use a low Android version. Certificate installation is harder in later versions. Version 8 seems to work okay for me.

That's it. No weird iptables magic, system WiFi settings, etc. Just ADB. Also works perfectly on a regular, non-rooted android device that is not an emulator. To undo, run:

To disable SSL verification in the LastPass Authenticator app, I used the 'Universal SSL Bypass 2' from the frida codeshare. Open up the Authenticator in the emulator, and run:

After I was done reversing the app, I found that Objection could actually do the same but easier. So if you don't want to bother with the codeshare route, just do this:

Traffic should now be flowing through Burp Suite:

Digging into the backup functionality

As it turns out, the traffic wasn't all that exciting. Creating a backup involved a POST request to the URL https://lastpass.com/lmiapi/authenticator/backup with a BASE64 encoded blob as body:

Retrieving the backup uses the same URL but with the GET method and no body. Authentication is done via two HTTP headers:

• X-CSRF-TOKEN
• X-SESSION-ID

The authentication part I assume is handled by the regular LastPass application as it doesn't show up in the intercepted traffic. However, it seems to work in the same way as a normal web-based login. This login process has been talked about in detail by other people so I won't go into it.

The TL;DR version is that once you log in, you receive a Session ID. With this session ID you can get a CSRF token at https://lastpass.com/getCSRFToken.php. You can then use those two tokens to upload and download TOTP backups to your LastPass vault.

Decrypting the blob

The BASE64 blob that is sent back and forth is actually two things. It starts with a ! character, followed by a small BASE64 string. Then comes a | character followed by a large BASE64 string.

People familier with how LastPass works will probably recognize this as standard LastPass practice. The first string decodes to a 16 byte IV. The second is the actual data, encrypted with AES-CBC.

So what is the AES key?

Let's upon up the Authenticator APK in jadx to find out. Jadx is a decompiler similar to jd-gui, but with native APK support. No need to mess around with extracting the APK and finding classes.dex.

After loading the APK let's do a search for '/backup' and see if we get any hits:

Awesome. We end up in a class called com.lastpass.authenticator.api.cloudsync.CloudSyncBackupEndpoint:

Not much to see here though. Let's move on. Exploring the different com.lastpass.authenticator packages we come across com.lastpass.authenticator.cloudsync.CloudSyncSessionInfo. This class has some interesting functions such as:

• getEncryptionIV()
• getEncryptionKey()

We have two choices at this point. Try and trace back where all these are used, or use objection and frida.

Guess which I chose.

Objection has a very neat feature where you can tell it to watch a class for usage. So that's what I did for the CloudSyncSessionInfo class:

I then triggered a manual backup in the Authenticator app to check if I was on the right path. And it seems I was:

Let's see if we can intercept the output of the getEncryptionKey() function. Objection can generate frida template scripts for all methods in a class. So for our class, we simply run:

It then spits out JavaScript for every method in the class. For example, this is what it generated for getEncryptionKey():

We can easily save this to a file and inject it manually using Frida:

For now, it doesn't really do anything. So let's modify the script so that it prints the return value before actually returning it:

After saving the script it's automatically updated by frida, so no need to re-attach. Running the backup again now gives us:

I had to censor it for obvious reasons, but trust me, the key is there. Great. Let's see if we can decrypt the blob now. One of my favourite tools for quickly testing encryption is CyberChef. Let's put in our data:

It worked! We now have all the information we need to import the TOTP's into another application. One last thing we need to find out is how the AES key is generated. Turns out this is de default LastPass way of generating encryption keys. They even have a test page for it here:

The encryption key hash is the same key that is used for encrypting our backups. In one line of python, the algorithm for generating this is:

The default iteration count is 100100.

Conclusion

This wasn't really all that sophisticated in the end, but it kept me busy for a couple of hours. I've used the information gathered here to create a python script that will automatically log in to your vault, download the backup and convert them back to QR codes. You can find that script here.

LastPass Authenticator offers a unique one-tap password verification experience that no other authenticator app delivers.

Available on

Add more security

Worried about phishing attacks or malware? Multifactor authentication keeps hackers locked out.

Enjoy a better experience

User-friendly, secure verification with one-tap login to top sites, including Google, Facebook, Amazon, and more.

You choose how to login

Unless you also use LastPass Authenticator for your 2FA tokens. For some reason there is no official way to export all saved tokens from that app. The official advice is 'disable it for all your accounts and re-enable it with a new 2FA application'. Yeah, no.

Apple App Store Lastpass Authenticator

The LastPass Authenticator app does support 'backup up' all your 2FA codes to your LastPass vault though:

This made me think. Maybe we can get our hands on that backup and use it? Let's find out!

Getting at the Android app

This is the part were most tutorials tell you to go to some shady 'apk downloader' website to download the APK's you want to examine. However, there is a much easier approach if you have an Android phone and adb. It doesn't have to be a rooted phone. You don't even have to connect it to your PC via USB. Simply enable both 'USB debugging' and 'Wireless ADB debugging' in the developer menu. Also check out the developer documentation for more detailed instructions. Then, simply connect:

Then, test connectivity:

Now you can ask the phone for a list of all applications installed and filter for the one you want:

You can now use the package name to get the path to the APK on the phone:

And then pull it to your machine:

And there you go. Guaranteed 1:1 Google Play matching APK's.

Inspecting the application

Now, at this point it might the fair to mention that I wasn't setting out on a big research project. I just wanted my original TOTP secrets. And fast. My initial plan of attack was to simply load the frida gadget into the authenticator app and install it back on my phone.

So I grabbed a recent copy of the excellent Objection toolkit by SensePost. This toolkit has a built-in command for injecting the frida gadget into an APK:

Do keep in mind that it needs these tools available in your path to function properly:

• adb
• aapt
• apksigner
• apktool
• zipalign

So make sure you have those properly set up. Now it's simply a matter of uninstalling the old version, and installing the patched one. Again, you can use ADB for this:

Now start the patched authenticator app and see if it worked by typing objection explore:

You can also use vanilla frida to connect:

Note that the application will hang until you connect to the gadget. Also, it will classify your phone as a 'USB device' even though it's connected through WiFi.

Small setback

Normally this would be pretty straight forward from here. Intercept traffic, hook functions, done. But not in this case. The authenticator app relies on the actual LastPass main application for authenticating to your vault, and authorizing it to upload and download backups.

The main application also relies on the Google Play services, so a vanilla emulator wouldn't work.

Lastly, The main LastPass application would refuse to authorize the authenticator app if it detected tampering with the authenticator app (which I was doing to load in the Frida gadget).

After some trial and error, I settled on using the Genymotion Android emulator. It does require an account, but it's free for personal use. It also offers a one-click installation of 'Open GApps' and it's virtual devices are rooted by default.

Bonus: I could just install both apps from the Play store. Do keep in mind that it uses VirtualBox under the hood, so enable nested virtualization if you're running this inside a VM.

Hooking functions

Authenticator App Lastpass Download

Because the emulator offers rooted images out of the box, there was no need to inject the Frida gadget into individual applications. Just transfer frida-server to the emulator and run it as root.

Download frida-server with the correct architecture first:

See the download page here for the latest version. The Genymotion emulator architecture is x86. Then, uncompress the archive:

Transfer it to the emulator:

Mark it as executable and run it (as root):

Finally, do a small test in a new terminal window to see if it works:

If all went well, you can now inject into any application on the emmulator without patching individual APK's.

Setting a proxy and intercepting traffic

Authenticator App Lastpass App

This is a step I see most people struggle with, so let me share my default way of easily getting the traffic from an android app through Burp Suite.

1. Create a reverse port forward via adb:
2. Set a global proxy to that port forward:
3. (Optional) Install the Burp Suite CA certificate as you normally would. A small piece of advice, use a low Android version. Certificate installation is harder in later versions. Version 8 seems to work okay for me.

That's it. No weird iptables magic, system WiFi settings, etc. Just ADB. Also works perfectly on a regular, non-rooted android device that is not an emulator. To undo, run:

To disable SSL verification in the LastPass Authenticator app, I used the 'Universal SSL Bypass 2' from the frida codeshare. Open up the Authenticator in the emulator, and run:

After I was done reversing the app, I found that Objection could actually do the same but easier. So if you don't want to bother with the codeshare route, just do this:

Traffic should now be flowing through Burp Suite:

Digging into the backup functionality

As it turns out, the traffic wasn't all that exciting. Creating a backup involved a POST request to the URL https://lastpass.com/lmiapi/authenticator/backup with a BASE64 encoded blob as body:

Retrieving the backup uses the same URL but with the GET method and no body. Authentication is done via two HTTP headers:

• X-CSRF-TOKEN
• X-SESSION-ID

The authentication part I assume is handled by the regular LastPass application as it doesn't show up in the intercepted traffic. However, it seems to work in the same way as a normal web-based login. This login process has been talked about in detail by other people so I won't go into it.

The TL;DR version is that once you log in, you receive a Session ID. With this session ID you can get a CSRF token at https://lastpass.com/getCSRFToken.php. You can then use those two tokens to upload and download TOTP backups to your LastPass vault.

Decrypting the blob

The BASE64 blob that is sent back and forth is actually two things. It starts with a ! character, followed by a small BASE64 string. Then comes a | character followed by a large BASE64 string.

People familier with how LastPass works will probably recognize this as standard LastPass practice. The first string decodes to a 16 byte IV. The second is the actual data, encrypted with AES-CBC.

So what is the AES key?

Let's upon up the Authenticator APK in jadx to find out. Jadx is a decompiler similar to jd-gui, but with native APK support. No need to mess around with extracting the APK and finding classes.dex.

After loading the APK let's do a search for '/backup' and see if we get any hits:

Awesome. We end up in a class called com.lastpass.authenticator.api.cloudsync.CloudSyncBackupEndpoint:

Not much to see here though. Let's move on. Exploring the different com.lastpass.authenticator packages we come across com.lastpass.authenticator.cloudsync.CloudSyncSessionInfo. This class has some interesting functions such as:

• getEncryptionIV()
• getEncryptionKey()

We have two choices at this point. Try and trace back where all these are used, or use objection and frida.

Guess which I chose.

Objection has a very neat feature where you can tell it to watch a class for usage. So that's what I did for the CloudSyncSessionInfo class:

I then triggered a manual backup in the Authenticator app to check if I was on the right path. And it seems I was:

Let's see if we can intercept the output of the getEncryptionKey() function. Objection can generate frida template scripts for all methods in a class. So for our class, we simply run:

It then spits out JavaScript for every method in the class. For example, this is what it generated for getEncryptionKey():

We can easily save this to a file and inject it manually using Frida:

For now, it doesn't really do anything. So let's modify the script so that it prints the return value before actually returning it:

After saving the script it's automatically updated by frida, so no need to re-attach. Running the backup again now gives us:

I had to censor it for obvious reasons, but trust me, the key is there. Great. Let's see if we can decrypt the blob now. One of my favourite tools for quickly testing encryption is CyberChef. Let's put in our data:

It worked! We now have all the information we need to import the TOTP's into another application. One last thing we need to find out is how the AES key is generated. Turns out this is de default LastPass way of generating encryption keys. They even have a test page for it here:

The encryption key hash is the same key that is used for encrypting our backups. In one line of python, the algorithm for generating this is:

The default iteration count is 100100.

Conclusion

This wasn't really all that sophisticated in the end, but it kept me busy for a couple of hours. I've used the information gathered here to create a python script that will automatically log in to your vault, download the backup and convert them back to QR codes. You can find that script here.

LastPass Authenticator offers a unique one-tap password verification experience that no other authenticator app delivers.

Available on

Add more security

Worried about phishing attacks or malware? Multifactor authentication keeps hackers locked out.

Enjoy a better experience

User-friendly, secure verification with one-tap login to top sites, including Google, Facebook, Amazon, and more.

You choose how to login

The app supports 6-digit generated passcodes, SMS codes, and automated push notifications for one-tap login.

The only Authenticator app you need

Lastpass Authenticator App For Windows

Enable push-based notifications for commonly accessed sites, and auto-generated passcodes for others so you only need one app.

Leverage what you already have

You always have your smartphone with you, so there's no need to keep track of extra devices.

It's free!

Download the app to your Android or Apple iOS device and enable it for your LastPass account today!

No other authenticator app allows push-based verification for leading sites.

Microsoft Authenticator App With Lastpass

It's easier than you think to use multifactor authentication.

Once you pair LastPass Authenticator with the site of your choice, you'll enjoy one-tap login for secure and instant access.

Available on