Huge fan of LastPass PROFILES - perfect for families that want limited passwords on their tablets in the children’s playroom and don’t want to worry about that device having full access to all of your passwords, and also don’t want to have to setup a separate bitwarden account for each device and then manage sharing - that’s not what we’re asking for here.
However, LastPass has downgraded the security around profiles to useless - they continually fail to understand the fundamental security distinction between using something and administrating that something.
I don’t want a separate account for my kids’ phones because when they create a new account and use Bitwarden as they would be trained to do so that they will be future secure password managers when they grown up, the new website and password are assigned to their separate account and is not automatically synchronized or granted control to my account.
With separate accounts, they are … separate - what’s mine is mine and what’s yours is yours. As a parent, I don’t want my kid setting up “finsta” or “fakebook” accounts under their separate Bitwarden account and I have 1) no access to it or to know about it, 2) no way to know who they share them to - did they just share their bank account password? did they not use Bitwarden and used really poor account/password security? and 3) no way to ensure that they are backed up when I backup my account.
And worst of all, they could disconnect the account from the shared folder by copying it into their own account folder and then changing the password so that the password my shared folder knows about was changed.
With profiles, one has a separate PROFILE for each device. Each device is given direct access only to the specific entries visible to that profile - it’s like a filter applied to your vault - for that device/profile.
Now here is where LastPass gets it wrong - if you know your LastPass password (or PIN - or worse - fingerprint) - you can change your device profile to anything else you’d like - including “upgrading” your access from a limited “Netflix-only Toddler Tablet” to complete full account access (the “full” profile). Think about that when the device is set to allow USE of Bitwarden with a simple PIN or a fingerprint - and then allowing that same authentication method to “upgrade” the device profile to full access to all of your passwords belong to us.
Knowing a PIN or having a fingerprint that unlocks a device to USE the device is not at all the same as being the account owner and demonstrating you own the account .
They used to require the entry of the master password to change the profile, so that effectively, you could set the tablet/phone device to the restricted profile, allow USE with a PIN, but for the device to change any security feature (like changing the profile!) required the master password to be entered.
I said “used to”. The way it works now, is that if you can use LastPass to get to your passwords, you can change any security feature of the account. Anyone with access to your phone or tablet that can access LastPass has complete control and access to your account - up to and including changing the master password itself!
Threat model: You let me use your phone to make a phone call, so you unlock it and let me use it. I add my fingerprint to the phone’s authenticated user fingerprints. If you have “Fingerprint unlock” – for any application, including LastPass and banking apps – I have full access to them as well to grant additional devices and accounts full access to your Bitwarden vault.
So please get this one right, Bitwarden.
DEVICE PROFILES are what we want. It should always require the highest form of re-authentication available to authorize changing the browser/device profile - not the lowest form of authentication available to the device we are changing the profile for. Changing profiles is an elevated security privilege, and as such requires a higher level of step-up authentication or full re-authentication. That way the security of the limited access defined for the profile can be enforced and not bypassed.
I think they do this by adding a separate encryption key for the profile, and for each entry visible to the profile, that entry’s at-rest encryption key is encrypted with the profile key in addition to the master account key. The administrative account settings are encrypted only with the master account key, and so are inaccessible to any of the profiles, except for the master profile. Each entry is encrypted with its own key and the master password is used to derive essentially a LMK that does not encrypt data directly, only other keys that do.