Mar 7, 2012

Introducing LastPass Mobile Support for the YubiKey NEO

If you've been looking to use your YubiKey with your Android smartphone, your wait is over!

At the recent RSA conference in San Francisco, CA, LastPass announced support for Yubico's latest two-factor authentication technology. The NFC-enabled YubiKey NEO is Yubico's first step to expanding their technology across smartphones and tablets.

To explain the terminology a bit, "NFC" is short for "Near Field Communication". It's a short-range wireless technology that allows devices to talk to each other and perform other actions, like transferring data and doing transactions. There is usually a chip in the smartphone that can communicate with software on the device while receiving signals from an external device (in this case, the YubiKey NEO).

Like the basic YubiKey, the YubiKey NEO is a small token that fits naturally on a keychain. The device combines the NFC swipe technology with the regular USB interface, so you can use the YubiKey NEO to authenticate your LastPass account on both your computer and your smartphone.

How it works

You can first associate a YubiKey with your LastPass account in your LastPass account settings (accessed from your LastPass Vault by launching the "account settings" link and clicking the "YubiKey" tab). After inserting your YubiKey into a USB port on your computer, you can focus in one of the YubiKey fields and swipe the device to enter the data. Once you have updated your settings, you can grab your Android and launch the LastPass app to login.

When the YubiKey NEO is introduced to an NFC-enabled smartphone, the YubiKey emits a securely encrypted one time password (OTP), which the phone reads.

Yubico's video shows the device in action with LastPass:


How to get one

For early adopters who want the technology now, pre-production samples of the YubiKey NEO are available at Yubico's web store for $50 per unit. Pre-production samples are only available in single units, with volume orders and full production planned for summer 2012. We may offer a bundle with LastPass Premium and the YubiKey NEO in the future, since YubiKey support is a LastPass Premium feature. For those who may be considering LastPass Premium, the upgrade is $12 per year for unlimited access to all LastPass Premium features.

We're continuing to explore opportunities for enhancing mobile security and the mobile experience as a whole, stay tuned for future updates.

Thanks,
The LastPass Team

16 comments:

  1. Will there be a way to use/swipe the NFC on the NEO as a substitute for entering the master password, on both the phone and/or PC? That would be more beneficial to me

    ReplyDelete
    Replies
    1. @Anonymous -- you can select to 'remember password' and then utilize the Yubikey as a 'single' factor instead of part of multi-factor. We don't recommend this due to loss of security but it is possible.

      Delete
    2. There's a real problem here; it's really important to choose a strong password, or else it would be trivial for an attacker to intercept the password stash over the network when it sent from the Lastpass servers to the phone, and then decrypt the passwords. But a strong password is by definition going to be a massive pain in the tuckus to type into a mobile screen keyboard.

      What we really need is a smart-card type solution where the master password is encrypted in a key stored on an NFC-capable device, which is kept separately from phone. That way, hopefully if the phone gets lost, the user's key fob doesn't get lost at the same time.

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. When these come out in volume, will there be one that combines NFC, standard Yubico functionality, and VIP capabilities? I would like to carry one Yubico rather than two if possible, and I use both the main Yubico one-time codes (LastPass) as well as VIP (login to VIP sites), in addition to the NFC functionality.

    I ordered a Neo already, but just would like to consolidate Yubikeys.

    ReplyDelete
  4. How does this work if you are currently using Google Authenticator? Should you turn off Authenticator? Does the NEO work as a USB YubiKey on my computer too?

    ReplyDelete
    Replies
    1. Currently only one multifactor authentication device can be used at a time with your LastPass account, so you would have to turn off Google Auth first, then enable the YubiKey. The NEO works with both your computer (plugs in to a USB port) and with the mobile app (currently Android only).

      Delete
    2. Just to correct, This is not true regarding Lastpass and one multifactor device. It's very evident, especially from first hand experience, that Google Auth and Yubikey are both available options to be dual implemented, etc. Feel free to look to the changes that may have been implemented since this post either on the lastpass site manual or in the settings for lastpass. Of course this post is long after this was originally wrote, so I'm just writing to correct as it has been changed since.

      Delete
  5. I would like to use my phone as the YubiKey NFC and when LastPass asks for two-factor authentication, I put my phone on an NFC reader which then provides the authentication code.

    These are all great improvements for security, thanks for helping make security accessible.

    ReplyDelete
    Replies
    1. I think this is what I was looking for: https://code.google.com/r/eholland-nfc-authenticator/

      Delete
  6. I have played around with the Yubikey Neo and lastpass mobile a bit, and wrote up my findings:
    http://www.juerges.net/2012/03/lastpass-yubikey-neo/

    ReplyDelete
  7. I would like to know if the Yubikey Neo would be able to communicate and function properly when a tablet has a thick leather case on it. I have a Nexus 7 with a thick leather case for protection. Will the Yubikey be able to transmit the NFC signal through the case?

    ReplyDelete
    Replies
    1. We would assume so, but we would recommend reaching out to support[at]yubico.com to confirm.

      Delete
  8. Hi Sir, You are really good writer.

    This article will help everyone to know so much important information about on lastpass.com. Lastpass.com is a good top-wedsite,where we can find different element of lastpass.com. It is very alternative for people and helpful to anybody. You may know me by Looking for Future Cell Phones? Future Talking about Mobile Phone as compared Past Future Cell Phones. In the future mobile phone able to contain glossy shaping, long life battery services, built in video controller & best regulated TV card. Find the best Future Cell Phones today

    Thanks for the great post.

    ReplyDelete
  9. As per the importance of mobile phone usage in our daily life matters, it is necessary to protect mobile device. As their are many secrets which we can save in this device are may protected by a password as described in above source.mobiespion.com is the best source, where you can get more knowledge regarding mobile media.

    ReplyDelete
  10. The Yubikey Neo holds the structure element of the first Yubikey, yet includes an imperative new part: a safe component (SE), available both by means of USB and over NFC. The SE offers a JavaCard 3.0/JCOP 2.4.2-perfect nature's domain, an Iso14443a NFC interface, Mifare Classic imitating and a NDEF applet for connection with Yubikey usefulness. At the point when connected to a USB port, contingent upon its configuration, the Neo presents itself either as a keybord (HID gadget), a standard CCID smart card reader, or both when in composite mode. As the SE is completely perfect with JavaCard and GlobalPlatform guidelines, extra applets could be stacked with standard devices.
    ~Alvin.

    ReplyDelete