If my information is encrypted with my Master Password, how can it be that my One Time Passwords are allowed to decrypt it?
How the OTP process works,
- Creates a completely random 256-bit number
- Makes the random key out of the username and the random password as a hash
- Makes a random hash from your username and random password, sends this to the server. This will be how we can tell you entered the right 32 digits of hex to allow you to download your encrypted data later.
- Encrypt your actual key with the new random_key, so we can retrieve it when random password is entered later, send this to the server.
Basically we recursed our entire process using a 256-bit key that's randomly created.
The safety of this is very high, especially if you turn over your OTPs -- a full 256-bit key to encrypted data which gets wiped once you use it.
For more information about our encryption process, please see this link: https://lastpass.com/whylastpass_technology.php