Using Multifactor Authentication


What Is Multifactor Authentication?

Multifactor authentication, or two-factor authentication, is the requirement of a second piece of information before allowing access to an account. By adding another authentication step when logging in, you are requiring that the user enter two forms of data – typically something the user knows, like a username and password, and then something the user has physical access to, like an app on a mobile phone that generates one-time codes or a device that plugs into the computer to scan a fingerprint. After enabling multifactor authentication, the user is required to enter both pieces of data (username/password + generated piece of data) each time they login to the account or service.

Why Using Multifactor Authentication Matters

Good security is about being proactive and mitigating risk. Multifactor authentication, or two-factor authentication, increases security by adding another barrier to entry. Doing so decreases the likelihood that a “pretender” can break in. It makes it harder for someone who has stolen a password to gain entry to the account.

Many sites and services already support multifactor authentication, including:

Multifactor Authentication & LastPass

If you enable multifactor authentication with LastPass, you have significantly increased the security of your LastPass account itself, which is the hub of your online life. If someone compromises your master password, they can’t gain access to your account without the second form of authentication. Since LastPass gives you the tools to generate secure, non-guessable passwords for all your accounts, if you then launch all of your sites from LastPass, you are eliminating risks of phishing attacks and other threats because you are going directly to your sites and logging in with LastPass. By enabling a mutifactor authentication device, you are by effect enabling it for each of the sites in your vault as well.

For LastPass Enterprise, if your Identity Provider utilizes multifactor authentication, as LastPass does, you also get the full benefit of using multifactor authentication without using passwords at all sites that you’ve implemented it on.

How Multifactor Authentication Works With LastPass

Once you enable multifactor authentication with LastPass, you’ll be required to first enter your email address and master password, then the multifactor authentication data.

LastPass offers support for several multifactor authentication methods:

  • Google Authenticator (Free): Utilizes a free Google app, available for Android, iOS, and BlackBerry, which will generate a code every 60 seconds that you will enter when prompted. Also compatible with Microsoft Authenticator, available for Windows Phone 7 and 8.
  • Grid (Free): A unique, generated spreadsheet of random values that resemble a Battleship grid, each section containing a different letter or number. Once enabled, you’ll be prompted to find and enter four values from the spreadsheet.
  • Transakt (Free): A mobile app that allows you to authenticate by responding to an Accept or Reject prompt via your mobile device.
  • Duo Security (Free): A mobile app for Android, iPhone, BlackBerry, and Windows Phone, where “push notifications” are sent after you attempt to login, allowing you to accept or decline via your smartphone.
  • Mobile Fingerprint Reader (Premium): Support on the LastPass Premium iOS and Android apps, allowing users to authenticate as a second-factor with their fingerprints.
  • Sesame (Premium): Generates unique One Time Passwords (OTPs) each time you login. The feature can be run from a USB thumb drive, and you have the choice to copy the OTP to the clipboard or launch the browser and pass the value automatically.
  • YubiKey (Premium): A key-sized device that you can plug into your computer’s USB slot, and generates a unique, One Time Password each time it’s pressed. YubiKeys are immune from replay-attacks, man-in-the-middle attacks, and a host of other threat vectors. The key can be purchased from Yubico and bundled at a discounted rate with LastPass Premium. No batteries, waterproof, and crush safe.
  • Fingerprint Reader (Premium): LastPass has support for a small selection of fingerprint readers, including Windows Biometric Framework, UPEK, and Validity.
  • SmartCard Reader (Premium): LastPass has experimental support for SmartCard readers. See our help article for more details and limitations.
  • RSA SecurID (Enterprise):  The LastPass Enterprise user will be prompted first for their LastPass Master Password, and then for their RSA SecurID passcode.
  • Salesforce Hash (Enterprise)

With all multifactor security options, you have the ability to mark the computer as “trusted”, leaving multifactor enabled for your LastPass account but not requiring that it be entered when logging in on that particular “safe” location.

Get Proactive with Multifactor Authentication

Passwords will be around for quite a while longer. Even if you’re using a password generator to create strong, unique passwords, it does not protect against all threats. Because websites have implemented different security standards and requirements, we strongly recommend enabling a form of multifactor authentication with LastPass and with any sites you’re using that currently support it. Doing so will help you better protect and mitigate risks for your LastPass account, and your online life as a whole.

Pick one of the tools available from the list above, and follow our steps to get started today.