Industry News

Samsung Galaxy S5 owners can unlock LastPass with a keypress – but is that wise?

Popular password manager service LastPass has announced that it has introduced a new feature for Samsung Galaxy S5 users: Fingerprint scanning.

Yes, a simple fingerprint can now unlock your LastPass vault if you have the right Android phone.

Here’s how LastPass announced the new support for biometric security:

The updated version of LastPass’ Android app leverages the Galaxy S5’s fingerprint sensor for a faster, more secure way to login to accounts.

After initially logging into LastPass, users will be able to access stored password information with a swipe of their finger. Instead of typing in their master password each time, any time a user is prompted for their password or PIN, they will have the option to quickly unlock secure information using only their fingerprint.

But is that better than protecting your password vault with a complex, hard-to-crack password?

I’d be a little concerned, because researchers have already demonstrated that it is remarkably easy to trick the Samsung Galaxy S5’s fingerprint sensor (as they had previously proven with the iPhone 5S).

The German researchers who revealed the weaknesses of the Galaxy S5’s fingerprint sensor claimed that it suffered from multiple weaknesses.

The good news is that LastPass is, at least, not turning on this feature by default and explains in its post that you do have to log into your LastPass vault at least initially in the regular fashion.

It’s only when you are subsequently prompted for confirmation of your password or a PIN that you will have the option of offering a fingerprint scan instead. The requirement for the initial master password to be entered in the conventional way should at least reduce the risk here.

And managing risk is key to the whole decision of whether you use a password manager or not.

In an ideal world, password managers wouldn’t be necessary – because you would be able to remember all of your different passwords.

But it’s not an ideal world.

I strongly believe that the vast majority of internet users would benefit from using a password manager. Password managers are the cool software programs that remember all of your different passwords for you, and store them securely to keep them out of the hands of bad guys.

Password managers are the reason why I don’t know my webmail password, or my password for Amazon, eBay, Twitter and some 800+ other websites.

All password manager users have to do is remember one “master password” to unlock the vault where their passwords are securely stashed away.

And, rather neatly, a good password manager can hook up with your web browser making your password for a particular site just one click away. It’s not just good security to use a password manager. It’s also convenient.

Of course, if a password management program was a nuisance to use it wouldn’t ever get used. Convenience is a good thing.

But the introduction of fingerprint scanning as a way of unlocking a password vault feels to me like it is possibly a convenience too far. I, for one, wouldn’t want my most sensitive accounts to be protected by a fingerprint instead of a master password.

Fingerprints are very different from passwords. Because, unlike passwords, you leave your fingerprints everywhere you go.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.