Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TOTP field #3

Open
jamesmacwhite opened this issue Dec 31, 2022 · 3 comments
Open

TOTP field #3

jamesmacwhite opened this issue Dec 31, 2022 · 3 comments

Comments

@jamesmacwhite
Copy link

jamesmacwhite commented Dec 31, 2022
edited
Loading

For LastPass Business/Enterprise customers vaults have a TOTP field on sites. If you use the LastPass Export option this field is present on any vault by the looks of it, it will however always be blank for non business type accounts as it's an Business/Enterprise only feature. The field can also be selectively turned off by Enterprise Admins I believe, but it will remain in the schema.

https://blog.lastpass.com/2020/12/lastpass-now-offers-time-based-one-time-passcode-totp/

I'm assuming when you originally documented the fields in the vault this wasn't present because it didn't exist at the time. Going by the date on the LastPass announcement likely late 2020.

My understanding is that this field should also be encrypted per the information in the LastPass announcement, but would be nice to verify.

You do not appear to be able to view the secret key inputted into the field once committed within the LastPass UI, but it must be stored in the vault itself to generate TOTP codes, so technically could be exported with this tool, if the master password is provided.

Just something if you wanted to update the Wiki information or explore further.
@jamesmacwhite jamesmacwhite changed the title TOTP field name TOTP field Dec 31, 2022
@silverl
Copy link

silverl commented Jan 13, 2023

Hey @jamesmacwhite. I'm looking through my decoded, dumped vault using https://github.com/jbalcorn/LastPassDump

I'm looking specifically for the TOTP field, but having a hard time spotting it. Do you know the field name?

@jamesmacwhite
Copy link
Author

jamesmacwhite commented Jan 13, 2023
edited
Loading

This parser doesn't output it currently, because it doesn't include it in the SQL query. The field name is "totp", this can be seen on any export done through the LastPass export method.

The issue is the official export doesn't decrypt the TOTP field, the data provided is garbled. However, other tools such as 1Password's LastPass migrator does now obtain the totp secret, so it is possible, with the proper decryption.

https://github.com/1Password/solutions/blob/main/migration/lastpass-vault-item-import.py

@jamesmacwhite
Copy link
Author

I had a look at the fetch method you linked, indeed it doesn't include the totp field in the XML, so you'll have to use something else if you want to retrieve the original secret key.

Unfortunately, once the secret key gets added into the TOTP field in LastPass Business/Enterprise, there is no known way within the UI to reveal it again. so you must rely on third party tools to extract it from the vault contents.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@silverl @jamesmacwhite