While this is ultimately something I’d love to see also available for the SaaS cloud option (perhaps this request should be “Key Connector for Public Cloud” or something similar) there are a few questions that arise from how the implementation for LastPass is handled.
For me when I am checking the resources provided by LastPass it gives rise to some concern, especially given to light the recent security breaches and how some data is being handled in an unencrypted fashion, I am always wary when there are questions to how software is being implemented.
These are just some the pros IMO of using an open-source, code-audited password manager such as Bitwarden, which has from my experience always had wonderful documentation and transparency when it comes to how they operate.
According to What are the limitations for LastPass users with federated login? - LastPass Support which stipulates
No Offline access – The client side (web browser extension) must remain online in order to obtain the user’s encryption key and unlock the user’s LastPass vault. For this reason, offline login is not available.
- And according to the following
Your Welcome email will include your LastPass username (email address) and a temporary Activation code that you will use to log in with (only once) so that your vault can be de-crypted and re-encrypted to utilize your Azure AD, Okta, Google Workspace, PingOne, PingFederate, or OneLogin account going forward.
- & https://support.lastpass.com/help/how-do-i-activate-federated-login-as-an-existing-user-that-is-newly-converted
Your Welcome email will include your LastPass username (email address) and instruct you to log in to LastPass with your current master password so that your vault can be de-crypted and re-encrypted to utilize your Identity Provider (IdP) account going forward.
- & https://support.lastpass.com/help/how-do-i-convert-an-existing-lastpass-enterprise-user-to-a-federated-azure-ad-user
Step #3: Selected users must log in to re-encrypt their vault with their Azure AD, Okta, Google Workspace, PingOne, or OneLogin
About this task: Users selected for conversion in Step #2 above must log in to LastPass to re-encrypt their vault with their Azure AD, Okta, Google Workspace, PingOne, or OneLogin account, as follows:
- How does LastPass allow for federated user authentication from a 3rd party IdP and decrypt the LastPass user vault while still maintaining a zero-knowledge architecture?
- Where is the vault encryption key stored?
The provided documentation provided appears to indicate that the encryption key is stored online either with the IdP (yikes), or with LastPass themselves (which in theory separates the authentication from the encryption) but still gives the keys over to LastPass.
My main question when evaluating any password manager is always who hold the keys and how is that being stored? If I don’t hold the keys IMO I don’t have proper ownership of my private data.
Bitwarden’s documentation on Key Connector gives quite the in-depth dive into the technical processes to separate identity authentication and verification, from encryption/decryption keys while maintaining a zero-knowledge architecture where nobody but you maintain control of your private data and even Bitwarden themselves can never gain access to your data.