LastPass One Time Recovery Passwords--How?

LastPass stores, on the server, a "vault" which is a collection of data, encrypted with a key derived from the "master password". Let's call K that key. Normally, K is rebuild on the local computer by recomputing it from the master password. However, the same key K could also be stored on the server, this time encrypted with a recovery key Kr, allowing reconstruction of K by whoever knows Kr. The "one-time recovery password stored in the browser" would be that Kr (they call it "password" but the user does not type it, so it can be a fat sequence of random bytes, something usually known as a "key").

With such a system, the vault can expanded with a "recovery blob" which is EKr(K). Generating a recovery blob requires knowledge of K, so it must have happened on the client system, since LastPass does not know the K or the master password. This matches the idea that the one-time recovery password is browser-specific.

If one "recovery blob" can be stored, several recovery blobs can be stored as well. When the user wants to prepare his browser for a potential subsequent recovery, he makes his browser generate a new random Kr, store it in the browser entrails, and compute the recovery blob (the user types his master password, the browser recomputes K and does the encryption with Kr). The recovery blob is then sent to LastPass's servers for storage. At no point does LastPass learn K or the master password or any of the "one-time recovery passwords".


What I describe above is a plausible implementation. I cannot vouch for what LastPass actually does.

A point to make, however, is about "one-time". That one is pure marketing. There is nothing intrinsically "one-time" in what I described. What they mean is that the server will refuse to send back a given recovery blob to the user more than once. Presumably, when a user connects and requests download of a recovery blob, the LastPass server sends it back and then destroys it on its side. This is all relative to how well LastPass complies to this data destruction routine.

(There cannot be anything one-time in a system unless parts of the system enforce some state change which the attacker cannot revert. This is generic.)