2 min read

Samsung Galaxy S5 owners can unlock LastPass with a keypress - but is that wise?


April 30, 2014

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Samsung Galaxy S5 owners can unlock LastPass with a keypress - but is that wise?

Popular password manager service LastPass has announced that it has introduced a new feature for Samsung Galaxy S5 users: Fingerprint scanning.

Yes, a simple fingerprint can now unlock your LastPass vault if you have the right Android phone.

Here’s how LastPass announced the new support for biometric security:

The updated version of LastPass` Android app leverages the Galaxy S5`s fingerprint sensor for a faster, more secure way to login to accounts.

After initially logging into LastPass, users will be able to access stored password information with a swipe of their finger. Instead of typing in their master password each time, any time a user is prompted for their password or PIN, they will have the option to quickly unlock secure information using only their fingerprint.

But is that better than protecting your password vault with a complex, hard-to-crack password?

I’d be a little concerned, because researchers have already demonstrated that it is remarkably easy to trick the Samsung Galaxy S5’s fingerprint sensor (as they had previously proven with the iPhone 5S).

The German researchers who revealed the weaknesses of the Galaxy S5’s fingerprint sensor claimed that it suffered from multiple weaknesses.

The good news is that LastPass is, at least, not turning on this feature by default and explains in its post that you do have to log into your LastPass vault at least initially in the regular fashion.

It’s only when you are subsequently prompted for confirmation of your password or a PIN that you will have the option of offering a fingerprint scan instead. The requirement for the initial master password to be entered in the conventional way should at least reduce the risk here.

And managing risk is key to the whole decision of whether you use a password manager or not.

In an ideal world, password managers wouldn’t be necessary – because you would be able to remember all of your different passwords.

But it’s not an ideal world.

I strongly believe that the vast majority of internet users would benefit from using a password manager. Password managers are the cool software programs that remember all of your different passwords for you, and store them securely to keep them out of the hands of bad guys.

Password managers are the reason why I don’t know my webmail password, or my password for Amazon, eBay, Twitter and some 800+ other websites.

All password manager users have to do is remember one “master password” to unlock the vault where their passwords are securely stashed away.

And, rather neatly, a good password manager can hook up with your web browser making your password for a particular site just one click away. It’s not just good security to use a password manager. It’s also convenient.

Of course, if a password management program was a nuisance to use it wouldn’t ever get used. Convenience is a good thing.

But the introduction of fingerprint scanning as a way of unlocking a password vault feels to me like it is possibly a convenience too far. I, for one, wouldn’t want my most sensitive accounts to be protected by a fingerprint instead of a master password.

Fingerprints are very different from passwords. Because, unlike passwords, you leave your fingerprints everywhere you go.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like