LastPass offers a variety of "Multifactor authentication" options to protect accounts. This tutorial will walk you through each option and how to enable it on your account.
First, go to the LastPass Vault > Account Settings > Multifactor Options.
OPTION 1: If you would like to use Google Authenticator, first ensure you’re using the latest LastPass browser extensions and mobile clients everywhere. You will also need a supported mobile device to run the Google Authenticator application.
1. Install the Google Authenticator application on your mobile device. Google officially supports Android, iOS (iPhone, iPod Touch, or iPad), and BlackBerry devices. Once you have the Google Authenticator application running on your mobile device, go to https://lastpass.com/?ac=1&opengoogleauth=1 and follow the instructions there to finish setting up Google Authenticator.
2. You will be prompted to use a Bar Code scanning app (Androids, iPhones and supported devices with cameras) to scan your unique bar code or you can manually enter the Google Authentication Key found on that setup page.
3. After your LastPass account is registered within the Google Authenticator app, the next time you login to LastPass on an untrusted device, you will receive the Google Authentication dialog. Go to your Google Authenticator App and input the current authentication code you see in the app into this dialog. If the code expires before you have a chance to authenticate, simply use the next code that appears in the app.
OPTION 2: YubiKey is a key-sized device that you can plug into your computer’s USB slot to provide another layer of security when accessing your LastPass Account. YubiKeys are a secure, easy to use two-factor authentication device that are immune from replay-attacks, man-in-the-middle attacks, and a host of other threat vectors. This is a premium feature, and the device must be purchased through Yubico.com for $25. Five YubiKeys can be associated with one LastPass account.
1. Once you have purchased and received your YubiKey, you can enable the device and manage your preferences by launching your Account Settings and clicking on the ‘YubiKey’ tab.
2. To add a new YubiKey to your LastPass account, enter the device in your USB port, click in the first empty YubiKey field, and lightly press your YubiKey on the grooved circle. You will need to enter your LastPass Master Password to save any updates you have made to your YubiKey settings.
3. After the field is filled, you can specify your YubiKey preferences:
YubiKey Authentication: Enable or disable your YubiKey multifactor authentication. When enabled, you will be prompted to enter the YubiKey data the next time you login to LastPass.
Permit Mobile Device Access: Controls whether mobile devices that do not possess USB ports, such as a smartphone, will be allowed to bypass YubiKey multifactor authentication when enabled.
Permit Offline Access: Controls whether access to your vault will be allowed when you are not connected to the Internet. Allowing offline access to your vault is slightly less secure since YubiKey OTPs can not be validated, and only the static portion of the key is validated.
4. To begin using your YubiKey, be sure that the “YubiKey Authentication” field is marked as “Enabled.”
5. To save changes to your YubiKey preferences, click “Update” before exiting the Account Settings dialog.
OPTION 3: LastPass supports multifactor authentication with Duo Security. To use Duo Security, a Duo account is required. Register for an account at https://www.duosecurity.com/lastpass.
1. Login to your Duo account.
2. In the left menu, choose Applications > + New Applications.
3. For Application type, choose “LastPass.” Pick any name for your Application name.
4. Click “Create Application.”
5. On the next page, you’ll find the following information: Integration key, Secret key,and API hostname. Note these values for later.
6. Login to your LastPass Vault and go to Settings > Multifactor Options > Duo Security.
7. Enter the Integration key, Secret key, and API hostname from before.
8. Switch Duo Security Authentication to “Enabled.”
9. A popup will appear to enroll your mobile device. Select the type of device that you would like to enroll and then click the “Continue” button. You will then be given on-screen instructions on how to enroll each specific device. Note that LastPass only supports one device at this time. Once you have enrolled the device(s) that you would like to use for Duo authentication, you can then use it to authenticate you in the login process.
OPTION 4: LastPass has support for various fingerprint readers, including Windows Biometric Framework, as a Premium feature.
1. Open a supported browser with the latest LastPass extension installed and log in to LastPass as a premium user.
2. Go to LastPass button > My LastPass Vault.
3. Click “Account Settings.”
4. Click “Multifactor Options.”
5. Toggle “Enable” from No to Yes.
6. Enter your LastPass master password, then follow the rest of the prompts on the screen.
7. Click “Update.”
OPTION 5: LastPass Premium members can use an ordinary USB thumb drive as a second form of authentication when logging into their LastPass account. Having a physical second form of authentication will help further ensure that your account will remain safe because both your Master Password and your USB thumb drive are required to log in.
1. If you are already a Premium member, you can visit the downloads page, click on your operating system and select the version of Sesame specific to your system. You can then move the file (or download directly) onto your USB device and run the application. You will see the empty Sesame dialog.
2. On your first run, you will be prompted to activate the software by Adding your LastPass login to the user list. Then, you will be sent an e-mail asking you to confirm the registry of Sesame. By default, the email link will expire after 10 minutes to protect your security. If you click on the link and it says ‘Link Expired’, re-send yourself the activation link and try again.
Once activated, Sesame will create secure one-time passwords (OTPs) that are subsequently required to login. You have the choice to copy the OTP to the clipboard or launch the browser and pass the value automatically.
OPTION 6: Transakt is an app developed by Entersekt to bring banking-grade two-factor authentication to your mobile device. Transakt works with LastPass to enable you to authenticate your login by responding to a simple Accept or Reject prompt directly on your mobile phone or tablet.Transakt protects you against threats such as phishing, man-in-the-middle, man-in the-browser, and replay attacks. It’s free to install and a snap to configure for use with LastPass.
1. On your mobile phone or tablet, go to gettransakt.com or go to your mobile device’s corresponding app store. Install the Transakt app.
2. On your computer, go to My LastPass Vault.
3. In the left menu, click “Account Settings.”
4. Click the “Multifactor Options” tab and select Transakt.
5. From the Transakt Authentication list, select “Enabled.” A popup screen displays a unique sign-up code.
6. On your mobile device, open the Transakt app. In the Introduction screen, click “Let’s begin.”
7. In the Transakt Signup screen, do either of the following:
Click “Scan code” and scan the code displayed on your computer screen.
Click “Enter code” and type in the eight-digit code.
8. On your computer, click “OK” when you receive the message that Transakt authentication has been successfully set up.
9. On the Multifactor Options page, click “Update.”
10. When prompted, enter your LastPass master password.
OPTION 7: LastPass has experimental support for smart card readers as a Premium feature. Currently, only computers running Windows, Mac OS X, or Linux, SafeSign middleware, and Internet Explorer, Firefox, or Chrome support this feature. Safari and Opera can be supported by installing an additional binary component.
1. Open a supported browser with the latest LastPass extension installed.
2. Log in to LastPass as a Premium user.
3. Go to LastPass button > My LastPass Vault.
4. Click “Account Settings.”
5. Go to Multifactor Options.
6. Choose the Card Reader Authentication option.
7. Enable Card Reader.
8. Enter your LastPass master password, then follow the rest of the prompts on the screen.
9. Click “Update.”
OPTION 8: Microsoft has released an authenticator app for Windows phones, and third-party authenticator apps can be used for other platforms. Microsoft Authenticator can be enabled with your LastPass account, so that you enter your email address + master password, then a code generated by the multifactor app when logging in to your LastPass account.
1. Download the Microsoft Authenticator app to your Windows phone.
2. Then, in your LastPass Icon > My LastPass Vault > Settings > Multifactor Options tab, click the “Google Authenticator” option.
3. Click to display the barcode.
4. Then scan the barcode on your mobile device in your Microsoft Authenticator app.
5. Select Google Authenticator, and then click “View your barode.” Your QR code for your LastPass account should now be displayed.
6. Select “Enabled” and then click “Update.”
OPTION 9: LastPass Enterprise supports RSA SecurID as a 2nd factor of authentication for user access to their LastPass Enterprise account. A second factor of authentication can protect your LastPass vault against replay-attacks, man-in-the-middle attacks, and a host of other threat vectors.
Once enabled, the user will be prompted first for his/her LastPass Master Username and Password, and then for his/her RSA SecurID passcode.
You must configure LastPass Enterprise for RSA SecurID Authentication.
1. While logged into your LastPass Enterprise Admin Console, click on the “Setup” tab, then click on “Other Enterprise Options.” You can also go directly to https://lastpass.com/enterprise_policy.php.
2. Click on “RSA SecurID” to see the RSA SecurID options.
3. Enter the IP addresses of the RADIUS servers used by your RSA SecurID implementation, and enter the RADIUS shared secret as well.
4. Click “Update” to save the values to your LastPass Enterprise account.
5. Your users will now be able to enable RSA SecurID as a multifactor authentication option within Account Settings.
6. Once the connection has been configured, your users can now enable RSA SecurID on their accounts by clicking on the LastPass Plug-in -> Preferences -> Account Settings -> Multifactor Options, and then selecting ‘RSA SecurID’. From this screen your employees can enable SecurID on their LastPass account.
OPTION 10: Grid Multifactor Authentication is a feature available to both Premium and non-Premium users.
1. To activate Grid, go to the LastPass Vault > Account Settings > Multifactor Authentication > Grid.
2. In the dialog box that pops up, enable Grid.
3. LastPass will pop a message recommending that you print your Grid. By clicking ‘Print your Grid’, you can view and print the spreadsheet-like Grid of randomly generated characters.
4. Be sure to click “Update” before exiting your Account Settings dialog box.
For more information visit: https://helpdesk.lastpass.com/multifactor-authentication-options/
All trademarks are property of their respective owners. This site makes every reasonable effort to keep the information accurate and up-to-date. If you have feedback regarding the instructions above, please email firstname.lastname@example.org.