Aug 29, 2013

Introducing Toopher and Duo Support for LastPass

We’re excited to announce that two new options join the family of multifactor authentication methods we support with LastPass! LastPass now supports Toopher and Duo, both of which can be run from your Android or iOS smartphone and are free for consumers.

We’ve talked up multifactor authentication over the last few years and especially in the last several months as it marks a growing trend in personal security. Multifactor authentication refers to the use of a second piece of information or a device that generates that information before allowing access to an account. By adding a second step, you’re requiring that two pieces of data be entered by a user - typically a username and password that the user knows, then a code or generated key that the user provides with a device or app. Adding multifactor authentication creates another barrier to entry, so that even a compromised password does not translate to a compromised account. By enabling multifactor authentication with your LastPass account, you’re significantly increasing the security surrounding the “hub” of your online life.

Toopher



To get started with Toopher:
  • Download the Toopher app from the app store on your device.
  • Start the app on your device.
  • Login to LastPass and launch your “settings” menu in the LastPass vault.
  • Click the “multifactor options” tab and select “Toopher”.
  • Switch Toopher to “enabled”, and enter the pairing phrase generated by the Toopher app on your mobile device. Select the “=” button on the Toopher app to generate this phrase.
  • Look for the “push notification” on your phone, and select “allow”.
Toopher is now enabled for your LastPass account. You can automate authentication by telling your mobile device to automatically log you in next time, by sliding the “automate when near here” slider. Toopher will automatically enable authentication for you when you’re in the same location logging in to the same computer.

Duo


To get started with Duo:
  • Download the Duo app from the app store on your device.
  • Start the app on your device.
  • Login to LastPass and launch the “settings” menu in the LastPass vault.
  • Click the “multifactor options” tab and select “Duo Security”.
  • Switch the status to “enabled” and select the link to enroll in Duo.
  • Enter your telephone number, and send yourself the text message.
  • Follow the steps to complete enrollment.
  • Once complete, ensure that you’ve also “updated” your LastPass settings.The next time you login to LastPass, Duo will send a “push notification” to your phone, and allow you to “approve” login.

We offer a range of other multifactor options, both free and Premium, so be sure to pick one that best suits your work flow. For more details on available options, see our list here: https://helpdesk.lastpass.com/security-options/multifactor-authentication-options/

Have you tried multifactor authentication? What do you think? Will you try Toopher or Duo?

26 comments:

  1. Toopher http://lifereviewplus12.blogspot.ru/2013/08/lastpass-toopher.html

    ReplyDelete
  2. The concept behind Toopher sounds great, but since I already use google authenticator for a few different accounts, I will probably not try toopher. It's easier to keep everything using the same system.

    ReplyDelete
  3. They both need internet connection?

    ReplyDelete
    Replies
    1. I know that google authenticator does NOT need internet connection.

      Delete
    2. For Toopher at least it looks like you'll need a connection (WiFi, LTE, 3G, 4G). Looks like Duo Push requires the same: https://www.duosecurity.com/duo-push

      Delete
    3. You can use Duo offline - it generates OTP's as well as handling push.

      Delete
  4. Duo is available on Windows Phone, for those of us in 2013.

    ReplyDelete
  5. I've been using the Google Authenticator Option for a year now, but I recently switch from Google's own app to Duo and then to Authy. Authy lets you rename the authenticators, which is helpful when you have more than one Google or Lastpass account, plus has a great bluetooth option to copy codes from phone to computer seamlessly. I would love to see native Authy push as well, which as I understand it is like Duo (I could be wrong!).

    ReplyDelete
  6. How do I add a second Toopher mobile app? I already authenticated on my iPad, now I want to add my Android smartphone. There is no way I can see to add it, even though Toopher explicitly said it supports multiple devices...

    ReplyDelete
    Replies
    1. Hey, Fred. I'm a Toopher developer.

      Toopher supports multiple devices like Android and iOS. We do not support multiple devices per account, yet. Sorry for the confusion. We are working on creating a good user experience around multiple devices per account.

      Delete
  7. The reason I chose to use Toopher is once you authenticate at a specific location, you can have it not ask again. So after you authenticate at home and work, it won't bother you again. Nice.

    ReplyDelete
  8. Is there a way to get LastPass to stop asking "This computer is trusted, do not require a second form of authentication."??

    Without telling LastPass that it is trusted?

    ReplyDelete
    Replies
    1. It sounds like the trusted file is not being recognized, try following these steps: https://lastpass.com/support.php?cmd=showfaq&id=3725&questiondefault=trusted

      Reach out to the team for any persisting errors: https://lastpass.com/supportticket.php

      Delete
  9. Matt: Just so you're aware if it's been a while, you can rename your "authenticators" in Duo Mobile as well (with fancy icons, no less!).

    Steve: With Duo Mobile you can have all of your Google authenticator accounts (and many others) in addition to the Duo platform, all from one app! No need to mess around with two.

    ReplyDelete
  10. I wish that you would add https://getclef.com to lastpass. This must be the easiest and most user friendly way to login. I use it on about 15 Wordpress sites that I run.

    ReplyDelete
  11. I absolutely love using LastPass. It's the best and most convenient Password Manager I've used to date and in the past I have recommended accounts to friends and family.

    Unfortunately as a non-US user, and in light of the NSA spying with secret gag orders etc, I no longer trust US-based services and so am in the process of removing my data and future business from US companies. Will be helping my friends and family move their accounts too.

    LastPass will be one of the few services I will really miss and will be difficult to replace.

    ReplyDelete
  12. Nice, but I still prefer to use Google Authenticator. I find it easier and more secure (no client-server communication required)

    ReplyDelete
  13. interesting, but what if you loose your phone or other way that make you no more have your phone ? what will happen to your lastpass account ? you'll be able to log and modify the authentification ?

    ReplyDelete
  14. I have just sep up toopher and had the exact same thought: what if I lose my phone?

    ReplyDelete
  15. I have been using Sesame as my Multifactor Authentication tool for the past couple of years and it's been great. Love the additional layer of protection that it provides, and I'd never go back to Singlefactor Authentication now.

    Recently changed to Duo as it makes sense since I always have my mobile phone with me and saves me carrying around my special USB drive. So far, it's proven to be a fabulous combination. Takes only a couple of minutes to set up, and so far it's been a dream to use.

    As for a couple of the questions re: what if I lose my phone? That was my initial question / concern, as at least with Sesame I could deactivate it via my security email.

    After a bit of sussing around, I found out that I can simply delete that phone from my Duo account and then use another mobile phone (an older NON-smart phone can also work) or even a landline (yes, a few of us still have one of these too at work or even home).

    So the Lastpass and Duo combo seems pretty good. (Toopher also looks pretty good yet I have yet to try that one to comment.)

    ReplyDelete
  16. This comment has been removed by the author.

    ReplyDelete
  17. Please, just add SMS/TEXT as an Multi factor method. It is much safer, and less of a hassle, I think. Google uses that method too. And I love it. No phishing site can send me the sms code, while it can ask me for the Google Authentication code.

    Furthermore, the data from Apps can be stolen. I.e. the Google Authentication data (and others) can be stolen, while it would be far more difficult to intercept an sms/text message.

    And last but not least. I switch phones a lot/ perfom factory resets/ change my phone ROM, etc. Every time I get locked out from Lastpass, because I don't have the multifactor auth. app anymore (Google Authenticator/Toopher etc). This would not happen when Lastpass sends me a sms/text message.

    ReplyDelete
    Replies
    1. If you print (or save it someway) QR code that is shown during enabling Goggle Authenticator, you can reinstall google authenticator on a new phone and use the same QR code to get 2FA back on a new phone. As for stolen data, if your phone is encrypted and not rooted, it's not easy (if not impossible) to steal GA data from the phone.

      Delete
  18. Thanks for adding support to more services! I've recently replace Google Authenticator with Authy and I would love to see LastPass support native Authy push as well!

    ReplyDelete
    Replies
    1. That's awesome - thanks for the positive feedback!

      Delete