Nov 4, 2011

Introducing Support for Google Authenticator



We're happy to announce the inclusion of Google Authenticator as a new multifactor authentication option for LastPass. With the latest LastPass plugin and a supported mobile device, you can now use your phone in conjunction with your master password to generate a secure key that is needed to login to your account. Authenticator token support has been a hotly anticipated addition to LastPass, and we're happy to make good on that obligation to our users.

We strongly believe in multifactor as being an excellent way to protect your sensitive data, and so we are opening this feature up to all LastPass users, including free accounts. For further information on setting up your account with Google Authenticator, or running it on unsupported devices, please see our helpdesk article.

98 comments:

  1. It's stuff like this LastPass...........why you are truly awesome. Thank you

    ReplyDelete
  2. This service is worth eight times what I pay for it. THANKS!!!

    ReplyDelete
  3. What I'd really like is SMS verification. I don't have a fancy phone.

    ReplyDelete
    Replies
    1. Tim, Google Authenticator has SMS or voice call notfication, if you don't have a smartphone!

      Delete
  4. Yes! YES! It's here! Oh wow :'D. Oh goodness what a miracle! LastPass AND Google Authenticator is the best of both worlds!

    ReplyDelete
  5. These improvements are why I consistently recommend your service. Keep up the good work!

    ReplyDelete
  6. This could be the most brilliant thing ever! I just wondered does the 2 step authentication work in the same way as access to GMail etc? With that I get a text message or a phone call with the number. Or does it require a data connection? I am concerned that I won't be able to get access to Last Pass if I am in a mobile blackspot. Can someone advise?

    ReplyDelete
  7. Incredible!!! Grid Authentication is great too, but Google Authentication is much easier for me. Thanks for this.

    ReplyDelete
  8. Awesome! I'm switching from the grid--which as great as it is, can be tedious--to Google Authenticator.

    Nice work, Lastpass!

    ReplyDelete
  9. Oh fantastic, yippee! Thank you sooo much, I know some of us have been nagging you, but you truly made my day :) Wonderful how you listen, LastPass!

    ReplyDelete
  10. Why not just SMS authentication like Facebook???

    ReplyDelete
    Replies
    1. Google Authenticator has SMS or voice call notfication, if you don't have a smartphone!

      Delete
  11. Somehow it´s not working in Firefox.
    Maybe it´s because I´m still using the Lastpass extension 1.74 and there is no update yet to version 1.8.

    Google Chrome works like charm.

    Thanks Lastpass for this awesome feature.

    ReplyDelete
  12. If the default is to allow offline logins, then how does this add any security? If someone finds my master password they can just unplug their network cable and then log in as if I'm not using any two factor authentication at all right?

    Someone please prove me wrong (as this sounds awesome in theory).

    ReplyDelete
  13. @Jason Knight

    Correct, this is implemented just like Grid -- the protection is primarily from preventing any other computers you haven't logged in before from being able to utilize your LastPass account -- you could scream your password out at the airport and it wouldn't matter (not recommended). For local protection you either need to disable offline support or utilize Sesame/Yubikey.

    ReplyDelete
  14. @SHermann Yes you need 1.80 -- you need to upgrade, you can do that manually by going to https://lastpass.com/dl

    ReplyDelete
  15. Dear Lastpass,

    This changes EVERYTHING.

    You have calmed my nerves to a great extent.

    This solves a lot of my worries.

    Thank you very much from the bottom of my heart.

    ReplyDelete
  16. @Anonymous - We've considered SMS based multi-factor it's somewhat expensive though on this end so would likely need to be premium only.

    ReplyDelete
  17. The download page still shows 1.75.0 to me for Firefox:

    https://lastpass.com/misc_download.php

    Also, checking updates via the plugin reports "No updates available".

    ReplyDelete
  18. As a followup of my comment above: I re-installed manually, and it updated, so it's just a problem with the version reported and with the update check in the plugin.

    ReplyDelete
  19. What happens if you lose your 2-factor device? I didn't see this addressed in the helpdesk article and it seems important.

    ReplyDelete
  20. Guys whishing SMS auth - it is not secure at all, anyone can decrypt the GSM traffic in realtime for free..

    ReplyDelete
  21. @Anonymous- you're probably right, but there isn't the likelyhood that they are going to intercept your SMS and steal that one-time code and know your Last Pass password. I suppose it's possible, but still extremely unlikely.

    I'm assuming that the 2 factor app (I haven't yet had the chance to use it) uses your mobile data connection. If this is the case them what happens when you are in a mobile blackspot? What happens if you are abroad and on 3G? Data roaming charges are expensive! SMS would be much preferable. At least it should be an option. I'd be happy to pay a little extra for it.

    ReplyDelete
  22. OK, I am talking out of my bottom. Just read the blurb on the Authentication app-

    "The application doesn't require an Internet connection, mobile service, or a data plan to generate verification codes."

    Hurray!

    ReplyDelete
  23. How will this work with users of Seasame? When you log on to an untrusted computer will you be able to use either of the two apps to generate a one-time password?

    ReplyDelete
  24. I'm also curious to learn more about the process if your mobile device is lost. I see a link to click if that happens, but what safeguards are in place to prevent someone from clicking that link to disable Google Auth? Thanks for providing such a great service!

    ReplyDelete
  25. @DWillens -- Sorry, we only currently support a single 2nd factor at a time. So you need to decide which one works better for you.

    @Mark/@Michael -- That link sends an email which you must click on a link to disable (so access to the email is required). For security reasons, we allow you to specify a completely separate 'security email' in settings that this could be sent to.

    ReplyDelete
  26. I am an experienced Google Authenticator user, but everytime I click 'enable' and enter the verification-code I get the pop-up: 'Google Authenticator authentication failed'. Anyone an idea?

    ReplyDelete
  27. Thanks Bob. I assume that means I can try Google Authenticator (which would disable Seasame) and if I am not happy with it I can go back to Sesame?

    My only concern really is that I don't want to have to type a long complicated password from my Blackberry every time I authenticate. It would be easier to just copy and paste the password from my USB thumb drive, if the choice is between that and, say, a 20 character password that must be manually typed.

    ReplyDelete
  28. @Bob: never mind, I figured it out. Disable Sesame, then enable GA. Uses GA's six-digit code. Nice. I also see other forum posts about the pros and cons of Sesame/Yubikey vs GA.

    ReplyDelete
  29. @Anonymous:(11/5, 3:36 pm) I am getting the same message, "authentication failed." Has anyone figured this out?

    ReplyDelete
  30. @Catch20two, there is a discussion, 'LastPass not Accepting Google Authenticator Code', on: http://forums.lastpass.com/viewtopic.php?f=12&t=78726

    It didnt give me the answer yet. Anyone an idea?

    cheers Daniel

    ReplyDelete
  31. Great, I've installed and authorized, now what?
    Can someone tell me what can I do with it now?
    Perhaps share some link to more info about the new abilities this feature gives me now?
    Thanks

    ReplyDelete
  32. I would like to use this but I have a concern: I use Lastpass for my Google account and need to be able to login to that to set up Google authenticator. I often re-flash my phone and in the process loose the Authenticator app, I would therefor end up in a situation with no access to Lastpass because I don't have Authenticator installed, and no access to Authenticator because I can't log into Google without LastPass.

    ReplyDelete
  33. Good job guys. Switched to Goog Auth from grid as a second factor auth option. This is exactly why I paid for lastpass. I don't use any of the paid features but want to support it's on going development.

    ReplyDelete
  34. Very nice! Love having this. Keep up the great work!

    ReplyDelete
  35. I agreed with Tim. I, too, would like to see SMS verification as I don't own a smartphone.

    ReplyDelete
  36. This is great, but where's the updated build of IE anywhere?

    ReplyDelete
  37. With Google's 2-step verification, there is the option to generate 10 printable back-up codes (one-time use) that we're supposed to carry around with us (wallet etc) in case we lose access to the mobile device with the Google Authenticator app. Is it possible to generate printable one-time use back-up codes for Lastpass too?

    I ask, because although I love the fact that Lastpass supports Google Authenticator, I am reluctant to use it as then I become 100% dependent on my mobile device to get into Lastpass. My Google account is linked to my Lastpass account, so your option of allowing me to by-pass the 2-step verification by clicking a link sent to my email is not helpful, as I cannot access my email without accessing Lastpass!

    ReplyDelete
  38. I have 3 questions:
    1) Is GA better than a yubikey? Can I use both?
    2) Can I use GA with the iPhone/iPad apps?
    3) If I use this does this stop my previously setup 1 time passwords working?

    Thanks for the great app!
    A happy premium user

    ReplyDelete
  39. FIXED, 'LastPass not Accepting Google Authenticator Code'. Try a different browser, see:

    'I tried the same steps but this time I used Internet Explorer 9 and it worked.', http://forums.lastpass.com/viewtopic.php?f=12&t=78726&start=10

    ReplyDelete
  40. Well, this makes it more confortable, however, more and more we are interconneting apps and devices.

    Great feature, however, don't know yet when will I use this though. Google is in everything we do :)

    ReplyDelete
  41. Chris -- backing up and restoring google authenticator with titanium backup will work, if you have your phone rooted. Otherwise, I think your best bet is to set up a security email address and store the password outside of lastpass.

    ReplyDelete
  42. Not working for me on Firefox or IE8. I don't even get to where I have to enter the authentication code. The login fails with the message "Google Authenticator authentication required!" and the option to try again, but at no point is there a place to enter the code.

    ReplyDelete
  43. @Anonymous "Not working on X" -- you're using an old version -- please download the latest by going to https://lastpass.com/dl in the browser.

    @Lusine -- You can use this confident that Google has no part of what's going on -- they build the app but it's an algorithm that we use and they have no exposure to your Authenticator 'key'

    @Alan Wild -- IE Anywhere updated.

    ReplyDelete
  44. Too bad I can't use this at the same time as Yubikey. It would be nice to have the option for three-factor authentication for certain things that are super-secret. Great work all the same.

    ReplyDelete
  45. What about bookmarklets? It looks as if using Google Authenticator causes bookmarklets to fail. Before anyone asks I did create a new set of bookmarklets after turning on Google Authenticator in my lastpass settings

    ReplyDelete
  46. Bookmarklets work - if you're not logged in you'll be prompted for your authenticator code. If you're having problems please submit a support ticket at lastpass.com/my.php

    ReplyDelete
  47. This is great news. I don't know how long before I use this option, but it is a welcome update.

    Lastpass is definitely the best password management application that you use.

    ReplyDelete
  48. Shame you cant use GA for mobile devices and yubikey for desktops. limiting to one or the other is crap.

    ReplyDelete
  49. YES! finally! THANK YOU! You can't imagne how much I've been looking forward to burn my grid and never see it again!

    *Rejoicing*

    ReplyDelete
  50. After being hacked earlier in the year i'm glad to see that you have finally rolled out another 2 step login.

    ReplyDelete
  51. How do I use authenticator with lastpass mobile? You cant use both same time?

    ReplyDelete
  52. Great staff.But russian manual make me laugh :-)
    Made by google translate.

    ReplyDelete
  53. Awesome new feature, I love lastpass!

    ReplyDelete
  54. Any chance for a redesign of lastpass.com and the Chrome extension? I can't help, but lastpass has the ugliest UI in the world. Even MS-DOS has been better looking. Sorry, but truth.

    ReplyDelete
  55. Regarding the GUI of LastPass, my main problem is while the Firefox version is fine as is the IE plugin, all other versions have the menu text on the left... then like double the amout of space, in other words, the menus are WAY too wide and are clumsy. It appears to me like IE and Firefox toolbar buttons are using the standard Windows GUI controls for menus, whilel the others are like... manually drawn since they look like white boxes instead of actual "menus" in the traditional sense. This happens in Chrome, Opera, and the other thing is a non standard interface... like Safari's interface looks completely unlike the other ones. Also the menu items I think could be organized a little better and not as randomly placed. Local pass valut (chrome://) is ugly and outdated. LOL. What a hater I sound like. I'm not. The functionality is great, it serves its purpose well; and despite my complaints, I'm about to pay for the Premium service, even though I really wouldn't use any of those extra features besides the iPhone app. That would be nice.

    Speaking of -- you have a plugin for dolphin HD for android? what about the dolphin browser for iPhone? I'm not positive if it supports plugins or not though. I want to say no, not as of now, but I use that one and I'd like to see LastPass for dolphin/iphone.

    I am very interested in employing GA as a way of multi-factor auth, but I need to read more about it to educate myself. For instance, third party apps that authenticate via Google using OpenID, from what I've read you have to change to specific passwords that google generates or something. I'm thinking of going with like.. quad or quint factor authentication. I'll use lastpass to manage the passwords, google authenticator, also use the grid and a yubi key, and then taking it out of the box here... I'm giving the only copy of my grid to my brother. so I will have to contact him to get a grid code. That makes things double blind, like in science. Also I'll make him give me a fake code along with the real one... placebo. I'm going to make everything so secure I will most likely prevent MYSELF from hacking into my passwords, or logging into any of my sites. That's secure.

    Also thinking of dual control bioauthetication. Retina scanners. One here, one offsite in an undisclosed location. I'm not gonna tell you whose eye will be required. I won't even know.

    Psych. Just throwing you off the trail. This is where the real mind "f" comes in. the second eye is gonna be... MY OTHER EYE! the scanner's gonna be over at my neighbor's place. How like... did you imagine the second eye was also gonna be mine? You didn't did you...?

    That's the beauty of it! You've always gotta be one step ahead of the hackers. One told me he'd haQ my saQ whatever that means, but I'm ready now.

    ReplyDelete
  56. Fantastic work you guys. I love lastpass and google authenticator. very glad to see these two fantastic services combined :)

    ReplyDelete
  57. OK ... this is really good.

    One more step and your where I'd like to see this go...

    I want bluetooth integration between my mobile device receiving a one time 2-factor token and the lastpass app on my pc/tablet. And I want it to happen automagically!!

    Great Stuff.... Keep it coming and I'll keep paying!!

    ReplyDelete
  58. Fantastic guys , keep the hard work up and keep it simple . . . And I'll keep to pay

    ReplyDelete
  59. Personally I think this is sad, I think goggle is dangerous they are into our private lives way to much. Do your homework.

    ReplyDelete
  60. Is Google authenticator supposed to work with Linux? I haven't tried it recently, but when it first came out last month I couldn't get it to work with Firefox in Linux Mint.

    ReplyDelete
  61. I love LastPass! Keep doing what you are doing! Adding GA is tight and awesome! I tell all my friends and employees about you all the time! Thanks for making me look good!

    ReplyDelete
  62. I have been using YubiKey since the beginning to protect my LastPass. It is not working on mobile devices, though. The introduction of Google-Authenticator-support is a really great thing and makes safe passwords for even more people easily available. I am know able to use 2-factor-auth on my smartphone, too! Great! Thank you for that innovative step!

    ReplyDelete
  63. Thank you for this innovative step, Lastpass

    ReplyDelete
  64. Man, I am so infinitely torn right now. I would absolutely love being able to ditch the piece of paper I have planted all over the place (grid option) for this, but having to activate 2-factor on my Google Account for it to work is kind of killing the deal for me. There's the potential of getting locked out of Google and LastPass if I can't get the text message for some reason (since you can only auth a trusted system for 30 days) and barring that, I would need to create application passwords for my phone, e-mail and tons of other crap that doesn't support the two factor. Appreciate it, but looks like I'm going to be sticking with grid auth unless a stand alone app comes along sometime )=

    ReplyDelete
  65. 2-factor authentication is great. Please now do this with AuthAnvil and you'll have a true business service that I can use with my clients.

    Check out your own forum thread @

    http://forums.lastpass.com/viewtopic.php?t=78053&p=261746

    ReplyDelete
  66. Thank you so much, now I can rest assure I'm safe and I can use your generated password

    ReplyDelete
  67. Any chance this will make its way to Windows Phone?

    ReplyDelete
  68. @Javadog --

    Info about running GA on WP7 is here:

    http://helpdesk.lastpass.com/security-options/google-authenticator/

    ReplyDelete
  69. You can't use GA for mobile devices and yubikey for desktops ! Do you foresee an evolution ?

    ReplyDelete
  70. Nice idea but the Google Authenticator app never worked for me, the numbers it generated were just never accepted and I had to use text message authentication instead, which works fine actually.

    ReplyDelete
  71. A Third hand up for GA for mobile and Yubi for desktop please! If I could use Yubi for phone, now that's the option I'd prefer.

    ReplyDelete
  72. I'd love to see support for Verisign VIP. My phone (a Nokia E63) doesn't support the Google authenticator, but does support Verisign VIP (which I can use on Name.com and PayPal)

    ReplyDelete
  73. I use Yubikey on desktop/laptop, and am satisfied with that level of multifactor. How does GoogleAuth help make my iPhone Lastpass more secure? My understanding is via iPhone all someone else would need is my UserID and password, unless Lastpass is monitoring EIN/SIM/MAC addr of the mobi. Someone please educate me on this.

    ReplyDelete
  74. Is there any chance that this app will be available for Symbian any time?

    ReplyDelete
  75. Great idea! Thanks

    ReplyDelete
  76. Only 1 person has pointed out that google has way too much access to our ptivate info. Improvements to secutiry are great but not at that expense. They log hold store analyse and distribute our data in many many instamces. Just read their terms of service. So why would this be an exception? Its time WE got as smart as our smart apps.

    ReplyDelete
  77. Love it, this is the one feature I've been missing :-) You guys are awesome.

    ReplyDelete
  78. Great, Great, Great! I love Lastpass. Now even more.

    ReplyDelete
  79. OMG! This...is...awesome! Frikkin love it! THANK YOU!

    ReplyDelete
  80. I, too, would like to see SMS verification (as I don't own a smartphone).

    ReplyDelete
  81. +1 for B's comment regarding using backup access codes like how Google's 2-step verification works. I store my email password in LastPass so if I were to ever lose my phone I could lose access to LastPass and email.

    ReplyDelete
  82. I tried it and it immediately locked me out of my gmail acct. on my desktop. It would not recognize my password or allow any access although I could still access it on my iPhone. I had to reauthorize everything to get back into my account. No thanks.

    ReplyDelete
  83. Awesome feature but if I may, this is something you should have been added for premium users only, that would have differentiated further free and premium versions.

    I'm still a very happy free user ;)

    ReplyDelete
  84. Honestly, this is way too complicated, or else not explained clearly enough. I develop stuff that would make your head spin, but can't sort out how this system works and what the potential pitfalls are. What if my phone gets stolen? Oh, I click that thing your supposed to click when you lose your phone. Wait, how the heck will I remember where THAT is? (When I am upset/panicked because my phone has been stolen). And what is to keep the crook from clicking that and taking over everything? It seems to me if this one object (my smart phone) gets in the wrong hands, I am totally screwed. How is that safe???

    The crew at LastPass needs to get their heads into the real world long enough to realize there is a need to explain things SIMPLY and in LAY TERMS so people know what the heck is going on and can REMEMBER it. As it is you're explaining things at a level that only security professionals (or enthusiasts) can understand and evaluate. I don't think you even realize it!

    ReplyDelete
  85. @Drew. I highly doubt you "develop stuff that would make your head spin" if you don't understand multifactor authentication.

    Multifactor authentication combines something you know with something you have.

    Using Authenticator in conjunction with your account means you have to have both your master password and a six digit code from Google that changes every 30 seconds in order to log in.

    If you lose your phone, Google has some backup methods of obtaining a code. The process for obtaining these codes and revoking access to the phone's codes is detailed on Google's website. Even if someone took your phone, and you hadn't yet deactivated it, they would still need your master password to log in.

    ReplyDelete
  86. Wow thanks! I feel much safer now!

    ReplyDelete
  87. This is such an amazing feature for LastPass. I’ve used Google Authenticator for my Google account ever since it was introduced, and I’ve never had a reason to turn it off. Given I have an Android device, so it’s easier for me to utilize this, but it’s still such a great security feature. In "friendly" environments, you should be able to use key authentication instead of a password which is more comfortable and secure. Using Google Authenticator and key based authentication should work fine.

    ReplyDelete
  88. Could someone please explain how to recover my 2 stage auth if Google Authenticator fails? Cause GoogAuth has failed me several times for no apparent reason and I've had to use their recover key.

    ReplyDelete
    Replies
    1. If you've enabled it for LastPass and the app fails or you lose the device, you can choose the "disable" option when you next login to your LastPass account. We'll send an email to your account email address (or security email address, if you have one set), you can then disable GAuth and re-enable it when you've fixed the app/downloaded it to a new device. If the GAuth app itself fails, though, there may be other issues at play, Google's troubleshooting steps may be of help: http://support.google.com/accounts/bin/topic.py?hl=en&topic=28786

      Delete
  89. I see multiple mentions of SMS with Google Authenticator, but no mention of how to actually use the SMS portion of Google Authenticator. Any idea how to make Lastpass use Google Authenticator and have it use SMS instead of a time-based code?

    ReplyDelete
    Replies
    1. Hi David: We don't currently support the SMS-capability of Google Auth. It's something we've considered though, and may revisit in the future.

      Delete
  90. bigg boss 8 iѕ one оf the most controversial TV reality show on thеir own Indian TV, presented by Colors TV. The reality show іѕ produced under thе production house оf Endemol Production House.

    ReplyDelete
  91. I just want to let you know that I just check out your site and I find it very interesting and informative. I can't wait to read lots of your posts
    labor day 2014 sales
    labor day sales 2014

    ReplyDelete