We're happy to announce the inclusion of Google Authenticator as a new multifactor authentication option for LastPass. With the latest LastPass plugin and a
supported mobile device, you can now use your phone in conjunction with your master password to generate a secure key that is needed to login to your account. Authenticator token support has been a hotly anticipated addition to LastPass, and we're happy to make good on that obligation to our users.
We strongly believe in multifactor as being an excellent way to protect your sensitive data, and so we are opening this feature up to all LastPass users, including free accounts. For further information on setting up your account with Google Authenticator, or running it on unsupported devices, please see
our helpdesk article.
It's stuff like this LastPass...........why you are truly awesome. Thank you
ReplyDeleteThis service is worth eight times what I pay for it. THANKS!!!
ReplyDeleteWhat I'd really like is SMS verification. I don't have a fancy phone.
ReplyDeleteTim, Google Authenticator has SMS or voice call notfication, if you don't have a smartphone!
DeleteYes! YES! It's here! Oh wow :'D. Oh goodness what a miracle! LastPass AND Google Authenticator is the best of both worlds!
ReplyDeleteThese improvements are why I consistently recommend your service. Keep up the good work!
ReplyDeleteThis could be the most brilliant thing ever! I just wondered does the 2 step authentication work in the same way as access to GMail etc? With that I get a text message or a phone call with the number. Or does it require a data connection? I am concerned that I won't be able to get access to Last Pass if I am in a mobile blackspot. Can someone advise?
ReplyDeleteIncredible!!! Grid Authentication is great too, but Google Authentication is much easier for me. Thanks for this.
ReplyDeleteAwesome! I'm switching from the grid--which as great as it is, can be tedious--to Google Authenticator.
ReplyDeleteNice work, Lastpass!
Oh fantastic, yippee! Thank you sooo much, I know some of us have been nagging you, but you truly made my day :) Wonderful how you listen, LastPass!
ReplyDeleteWhy not just SMS authentication like Facebook???
ReplyDeleteGoogle Authenticator has SMS or voice call notfication, if you don't have a smartphone!
DeleteSomehow it´s not working in Firefox.
ReplyDeleteMaybe it´s because I´m still using the Lastpass extension 1.74 and there is no update yet to version 1.8.
Google Chrome works like charm.
Thanks Lastpass for this awesome feature.
If the default is to allow offline logins, then how does this add any security? If someone finds my master password they can just unplug their network cable and then log in as if I'm not using any two factor authentication at all right?
ReplyDeleteSomeone please prove me wrong (as this sounds awesome in theory).
Love this
ReplyDelete@Jason Knight
ReplyDeleteCorrect, this is implemented just like Grid -- the protection is primarily from preventing any other computers you haven't logged in before from being able to utilize your LastPass account -- you could scream your password out at the airport and it wouldn't matter (not recommended). For local protection you either need to disable offline support or utilize Sesame/Yubikey.
@SHermann Yes you need 1.80 -- you need to upgrade, you can do that manually by going to https://lastpass.com/dl
ReplyDeleteDear Lastpass,
ReplyDeleteThis changes EVERYTHING.
You have calmed my nerves to a great extent.
This solves a lot of my worries.
Thank you very much from the bottom of my heart.
@Anonymous - We've considered SMS based multi-factor it's somewhat expensive though on this end so would likely need to be premium only.
ReplyDeleteThe download page still shows 1.75.0 to me for Firefox:
ReplyDeletehttps://lastpass.com/misc_download.php
Also, checking updates via the plugin reports "No updates available".
As a followup of my comment above: I re-installed manually, and it updated, so it's just a problem with the version reported and with the update check in the plugin.
ReplyDeleteWhat happens if you lose your 2-factor device? I didn't see this addressed in the helpdesk article and it seems important.
ReplyDeleteGuys whishing SMS auth - it is not secure at all, anyone can decrypt the GSM traffic in realtime for free..
ReplyDelete@Anonymous- you're probably right, but there isn't the likelyhood that they are going to intercept your SMS and steal that one-time code and know your Last Pass password. I suppose it's possible, but still extremely unlikely.
ReplyDeleteI'm assuming that the 2 factor app (I haven't yet had the chance to use it) uses your mobile data connection. If this is the case them what happens when you are in a mobile blackspot? What happens if you are abroad and on 3G? Data roaming charges are expensive! SMS would be much preferable. At least it should be an option. I'd be happy to pay a little extra for it.
OK, I am talking out of my bottom. Just read the blurb on the Authentication app-
ReplyDelete"The application doesn't require an Internet connection, mobile service, or a data plan to generate verification codes."
Hurray!
How will this work with users of Seasame? When you log on to an untrusted computer will you be able to use either of the two apps to generate a one-time password?
ReplyDeleteI'm also curious to learn more about the process if your mobile device is lost. I see a link to click if that happens, but what safeguards are in place to prevent someone from clicking that link to disable Google Auth? Thanks for providing such a great service!
ReplyDelete@DWillens -- Sorry, we only currently support a single 2nd factor at a time. So you need to decide which one works better for you.
ReplyDelete@Mark/@Michael -- That link sends an email which you must click on a link to disable (so access to the email is required). For security reasons, we allow you to specify a completely separate 'security email' in settings that this could be sent to.
I am an experienced Google Authenticator user, but everytime I click 'enable' and enter the verification-code I get the pop-up: 'Google Authenticator authentication failed'. Anyone an idea?
ReplyDeleteThanks Bob. I assume that means I can try Google Authenticator (which would disable Seasame) and if I am not happy with it I can go back to Sesame?
ReplyDeleteMy only concern really is that I don't want to have to type a long complicated password from my Blackberry every time I authenticate. It would be easier to just copy and paste the password from my USB thumb drive, if the choice is between that and, say, a 20 character password that must be manually typed.
@Bob: never mind, I figured it out. Disable Sesame, then enable GA. Uses GA's six-digit code. Nice. I also see other forum posts about the pros and cons of Sesame/Yubikey vs GA.
ReplyDelete@Anonymous:(11/5, 3:36 pm) I am getting the same message, "authentication failed." Has anyone figured this out?
ReplyDeletelet's see!
ReplyDelete@Catch20two, there is a discussion, 'LastPass not Accepting Google Authenticator Code', on: http://forums.lastpass.com/viewtopic.php?f=12&t=78726
ReplyDeleteIt didnt give me the answer yet. Anyone an idea?
cheers Daniel
Great, I've installed and authorized, now what?
ReplyDeleteCan someone tell me what can I do with it now?
Perhaps share some link to more info about the new abilities this feature gives me now?
Thanks
I would like to use this but I have a concern: I use Lastpass for my Google account and need to be able to login to that to set up Google authenticator. I often re-flash my phone and in the process loose the Authenticator app, I would therefor end up in a situation with no access to Lastpass because I don't have Authenticator installed, and no access to Authenticator because I can't log into Google without LastPass.
ReplyDeleteGood job guys. Switched to Goog Auth from grid as a second factor auth option. This is exactly why I paid for lastpass. I don't use any of the paid features but want to support it's on going development.
ReplyDeleteVery nice! Love having this. Keep up the great work!
ReplyDeleteI agreed with Tim. I, too, would like to see SMS verification as I don't own a smartphone.
ReplyDeleteThis is great, but where's the updated build of IE anywhere?
ReplyDeleteWith Google's 2-step verification, there is the option to generate 10 printable back-up codes (one-time use) that we're supposed to carry around with us (wallet etc) in case we lose access to the mobile device with the Google Authenticator app. Is it possible to generate printable one-time use back-up codes for Lastpass too?
ReplyDeleteI ask, because although I love the fact that Lastpass supports Google Authenticator, I am reluctant to use it as then I become 100% dependent on my mobile device to get into Lastpass. My Google account is linked to my Lastpass account, so your option of allowing me to by-pass the 2-step verification by clicking a link sent to my email is not helpful, as I cannot access my email without accessing Lastpass!
I have 3 questions:
ReplyDelete1) Is GA better than a yubikey? Can I use both?
2) Can I use GA with the iPhone/iPad apps?
3) If I use this does this stop my previously setup 1 time passwords working?
Thanks for the great app!
A happy premium user
FIXED, 'LastPass not Accepting Google Authenticator Code'. Try a different browser, see:
ReplyDelete'I tried the same steps but this time I used Internet Explorer 9 and it worked.', http://forums.lastpass.com/viewtopic.php?f=12&t=78726&start=10
Well, this makes it more confortable, however, more and more we are interconneting apps and devices.
ReplyDeleteGreat feature, however, don't know yet when will I use this though. Google is in everything we do :)
Chris -- backing up and restoring google authenticator with titanium backup will work, if you have your phone rooted. Otherwise, I think your best bet is to set up a security email address and store the password outside of lastpass.
ReplyDeleteNot working for me on Firefox or IE8. I don't even get to where I have to enter the authentication code. The login fails with the message "Google Authenticator authentication required!" and the option to try again, but at no point is there a place to enter the code.
ReplyDelete@Anonymous "Not working on X" -- you're using an old version -- please download the latest by going to https://lastpass.com/dl in the browser.
ReplyDelete@Lusine -- You can use this confident that Google has no part of what's going on -- they build the app but it's an algorithm that we use and they have no exposure to your Authenticator 'key'
@Alan Wild -- IE Anywhere updated.
Too bad I can't use this at the same time as Yubikey. It would be nice to have the option for three-factor authentication for certain things that are super-secret. Great work all the same.
ReplyDeleteWhat about bookmarklets? It looks as if using Google Authenticator causes bookmarklets to fail. Before anyone asks I did create a new set of bookmarklets after turning on Google Authenticator in my lastpass settings
ReplyDeleteBookmarklets work - if you're not logged in you'll be prompted for your authenticator code. If you're having problems please submit a support ticket at lastpass.com/my.php
ReplyDeleteThis is great news. I don't know how long before I use this option, but it is a welcome update.
ReplyDeleteLastpass is definitely the best password management application that you use.
Shame you cant use GA for mobile devices and yubikey for desktops. limiting to one or the other is crap.
ReplyDeleteYES! finally! THANK YOU! You can't imagne how much I've been looking forward to burn my grid and never see it again!
ReplyDelete*Rejoicing*
After being hacked earlier in the year i'm glad to see that you have finally rolled out another 2 step login.
ReplyDeleteHow do I use authenticator with lastpass mobile? You cant use both same time?
ReplyDeleteGreat staff.But russian manual make me laugh :-)
ReplyDeleteMade by google translate.
Awesome new feature, I love lastpass!
ReplyDeleteAny chance for a redesign of lastpass.com and the Chrome extension? I can't help, but lastpass has the ugliest UI in the world. Even MS-DOS has been better looking. Sorry, but truth.
ReplyDeleteRegarding the GUI of LastPass, my main problem is while the Firefox version is fine as is the IE plugin, all other versions have the menu text on the left... then like double the amout of space, in other words, the menus are WAY too wide and are clumsy. It appears to me like IE and Firefox toolbar buttons are using the standard Windows GUI controls for menus, whilel the others are like... manually drawn since they look like white boxes instead of actual "menus" in the traditional sense. This happens in Chrome, Opera, and the other thing is a non standard interface... like Safari's interface looks completely unlike the other ones. Also the menu items I think could be organized a little better and not as randomly placed. Local pass valut (chrome://) is ugly and outdated. LOL. What a hater I sound like. I'm not. The functionality is great, it serves its purpose well; and despite my complaints, I'm about to pay for the Premium service, even though I really wouldn't use any of those extra features besides the iPhone app. That would be nice.
ReplyDeleteSpeaking of -- you have a plugin for dolphin HD for android? what about the dolphin browser for iPhone? I'm not positive if it supports plugins or not though. I want to say no, not as of now, but I use that one and I'd like to see LastPass for dolphin/iphone.
I am very interested in employing GA as a way of multi-factor auth, but I need to read more about it to educate myself. For instance, third party apps that authenticate via Google using OpenID, from what I've read you have to change to specific passwords that google generates or something. I'm thinking of going with like.. quad or quint factor authentication. I'll use lastpass to manage the passwords, google authenticator, also use the grid and a yubi key, and then taking it out of the box here... I'm giving the only copy of my grid to my brother. so I will have to contact him to get a grid code. That makes things double blind, like in science. Also I'll make him give me a fake code along with the real one... placebo. I'm going to make everything so secure I will most likely prevent MYSELF from hacking into my passwords, or logging into any of my sites. That's secure.
Also thinking of dual control bioauthetication. Retina scanners. One here, one offsite in an undisclosed location. I'm not gonna tell you whose eye will be required. I won't even know.
Psych. Just throwing you off the trail. This is where the real mind "f" comes in. the second eye is gonna be... MY OTHER EYE! the scanner's gonna be over at my neighbor's place. How like... did you imagine the second eye was also gonna be mine? You didn't did you...?
That's the beauty of it! You've always gotta be one step ahead of the hackers. One told me he'd haQ my saQ whatever that means, but I'm ready now.
Fantastic work you guys. I love lastpass and google authenticator. very glad to see these two fantastic services combined :)
ReplyDeleteOK ... this is really good.
ReplyDeleteOne more step and your where I'd like to see this go...
I want bluetooth integration between my mobile device receiving a one time 2-factor token and the lastpass app on my pc/tablet. And I want it to happen automagically!!
Great Stuff.... Keep it coming and I'll keep paying!!
Fantastic guys , keep the hard work up and keep it simple . . . And I'll keep to pay
ReplyDeletePersonally I think this is sad, I think goggle is dangerous they are into our private lives way to much. Do your homework.
ReplyDeleteIs Google authenticator supposed to work with Linux? I haven't tried it recently, but when it first came out last month I couldn't get it to work with Firefox in Linux Mint.
ReplyDeleteI love LastPass! Keep doing what you are doing! Adding GA is tight and awesome! I tell all my friends and employees about you all the time! Thanks for making me look good!
ReplyDeleteI have been using YubiKey since the beginning to protect my LastPass. It is not working on mobile devices, though. The introduction of Google-Authenticator-support is a really great thing and makes safe passwords for even more people easily available. I am know able to use 2-factor-auth on my smartphone, too! Great! Thank you for that innovative step!
ReplyDeleteThank you for this innovative step, Lastpass
ReplyDeleteMan, I am so infinitely torn right now. I would absolutely love being able to ditch the piece of paper I have planted all over the place (grid option) for this, but having to activate 2-factor on my Google Account for it to work is kind of killing the deal for me. There's the potential of getting locked out of Google and LastPass if I can't get the text message for some reason (since you can only auth a trusted system for 30 days) and barring that, I would need to create application passwords for my phone, e-mail and tons of other crap that doesn't support the two factor. Appreciate it, but looks like I'm going to be sticking with grid auth unless a stand alone app comes along sometime )=
ReplyDelete2-factor authentication is great. Please now do this with AuthAnvil and you'll have a true business service that I can use with my clients.
ReplyDeleteCheck out your own forum thread @
http://forums.lastpass.com/viewtopic.php?t=78053&p=261746
Thank you so much, now I can rest assure I'm safe and I can use your generated password
ReplyDeleteAny chance this will make its way to Windows Phone?
ReplyDelete@Javadog --
ReplyDeleteInfo about running GA on WP7 is here:
http://helpdesk.lastpass.com/security-options/google-authenticator/
You can't use GA for mobile devices and yubikey for desktops ! Do you foresee an evolution ?
ReplyDeleteNice idea but the Google Authenticator app never worked for me, the numbers it generated were just never accepted and I had to use text message authentication instead, which works fine actually.
ReplyDeleteA Third hand up for GA for mobile and Yubi for desktop please! If I could use Yubi for phone, now that's the option I'd prefer.
ReplyDeleteI'd love to see support for Verisign VIP. My phone (a Nokia E63) doesn't support the Google authenticator, but does support Verisign VIP (which I can use on Name.com and PayPal)
ReplyDeleteI use Yubikey on desktop/laptop, and am satisfied with that level of multifactor. How does GoogleAuth help make my iPhone Lastpass more secure? My understanding is via iPhone all someone else would need is my UserID and password, unless Lastpass is monitoring EIN/SIM/MAC addr of the mobi. Someone please educate me on this.
ReplyDeleteIs there any chance that this app will be available for Symbian any time?
ReplyDeleteGreat idea! Thanks
ReplyDeleteOnly 1 person has pointed out that google has way too much access to our ptivate info. Improvements to secutiry are great but not at that expense. They log hold store analyse and distribute our data in many many instamces. Just read their terms of service. So why would this be an exception? Its time WE got as smart as our smart apps.
ReplyDeleteLove it, this is the one feature I've been missing :-) You guys are awesome.
ReplyDeleteoh god
ReplyDeleteGreat, Great, Great! I love Lastpass. Now even more.
ReplyDeleteOMG! This...is...awesome! Frikkin love it! THANK YOU!
ReplyDeleteI, too, would like to see SMS verification (as I don't own a smartphone).
ReplyDelete+1 for B's comment regarding using backup access codes like how Google's 2-step verification works. I store my email password in LastPass so if I were to ever lose my phone I could lose access to LastPass and email.
ReplyDeleteI tried it and it immediately locked me out of my gmail acct. on my desktop. It would not recognize my password or allow any access although I could still access it on my iPhone. I had to reauthorize everything to get back into my account. No thanks.
ReplyDeleteAwesome feature but if I may, this is something you should have been added for premium users only, that would have differentiated further free and premium versions.
ReplyDeleteI'm still a very happy free user ;)
Honestly, this is way too complicated, or else not explained clearly enough. I develop stuff that would make your head spin, but can't sort out how this system works and what the potential pitfalls are. What if my phone gets stolen? Oh, I click that thing your supposed to click when you lose your phone. Wait, how the heck will I remember where THAT is? (When I am upset/panicked because my phone has been stolen). And what is to keep the crook from clicking that and taking over everything? It seems to me if this one object (my smart phone) gets in the wrong hands, I am totally screwed. How is that safe???
ReplyDeleteThe crew at LastPass needs to get their heads into the real world long enough to realize there is a need to explain things SIMPLY and in LAY TERMS so people know what the heck is going on and can REMEMBER it. As it is you're explaining things at a level that only security professionals (or enthusiasts) can understand and evaluate. I don't think you even realize it!
@Drew. I highly doubt you "develop stuff that would make your head spin" if you don't understand multifactor authentication.
ReplyDeleteMultifactor authentication combines something you know with something you have.
Using Authenticator in conjunction with your account means you have to have both your master password and a six digit code from Google that changes every 30 seconds in order to log in.
If you lose your phone, Google has some backup methods of obtaining a code. The process for obtaining these codes and revoking access to the phone's codes is detailed on Google's website. Even if someone took your phone, and you hadn't yet deactivated it, they would still need your master password to log in.
Wow thanks! I feel much safer now!
ReplyDeleteThis is such an amazing feature for LastPass. I’ve used Google Authenticator for my Google account ever since it was introduced, and I’ve never had a reason to turn it off. Given I have an Android device, so it’s easier for me to utilize this, but it’s still such a great security feature. In "friendly" environments, you should be able to use key authentication instead of a password which is more comfortable and secure. Using Google Authenticator and key based authentication should work fine.
ReplyDeleteCould someone please explain how to recover my 2 stage auth if Google Authenticator fails? Cause GoogAuth has failed me several times for no apparent reason and I've had to use their recover key.
ReplyDeleteIf you've enabled it for LastPass and the app fails or you lose the device, you can choose the "disable" option when you next login to your LastPass account. We'll send an email to your account email address (or security email address, if you have one set), you can then disable GAuth and re-enable it when you've fixed the app/downloaded it to a new device. If the GAuth app itself fails, though, there may be other issues at play, Google's troubleshooting steps may be of help: http://support.google.com/accounts/bin/topic.py?hl=en&topic=28786
Delete