Start a new topic

Improve LastPass integration (MFA, reloading creds)

Hello!

While it's great that there is LastPass integration in Royal TS, there is some stuff that could be improved.

1. When using MFA, for example with Duo Security, there's no visible feedback that you need to accept the MFA prompt. (Also see: https://support.royalapps.com/support/discussions/topics/17000015027)

2. If you aren't fast enough to accept the push, it will prompt you for a code, and just accepting the push isn't good enough.

3. You have to authenticate with 2FA every time you start Royal TS, unlike in the browser which doesn't require MFA except once a month or so for a trusted device.

4. There's no way to update the credentials from LastPass without logging in again.

Hi!


Thanks for the feedback.


We would love to further improve our LastPass integration but at the moment, improvements like you mentioned aren't possible. The reason for this is that LastPass doesn't offer an official API. Should LastPass offer this API (with all the features you mentioned), we will be happy to implement all that.


Sorry for the bad news.


Regards,
Stefan

While LastPass does not have a documented API, they do have an open source CLI tool that interacts with their service. I think you can find this useful to find how to implement for example the "trust" feature that implements trusting a machine for not requiring 2FA.


This piece of the code is probably a good starting point, noting that the "trust" parameter to lastpass_login() is set to true if the user has specified to log in with the --trust parameter, which is the one that allows you to trust this device for further 2FA.


https://github.com/lastpass/lastpass-cli/blob/8767b5e53192ad4e72d1352db4aa9218e928cbe1/endpoints-login.c#L315-L363

One thing I wanted to mention re 4)

If you are opening a LastPass vault and choose an existing credential from the list (not specifying username and password), you will not be prompted for credentials when you reload the LastPass vault.


So, creating a credential upfront with the LastPass username/password would make it much easier.


Regards,

Stefan

Thanks for the link and the information, Per! We already looked at the CLI tool for inspiration but right now, it's not easy to implement that because of some architectural constraints. 


But, if you feel adventurous, you could roll your own script and pull in LastPass information in a dynamic folder. We already have a couple of sample scripts for CyberArc, Bitwarden, PasswordState, etc. There you have full control over the implementation.


Check it out here: https://www.royalapps.com/go/dynamicfolder-samples


Regards,
Stefan

Login or Signup to post a comment