New: Google Releases Authenticator Version 2 for Android

Google Authenticator, the most recent addition to our suite of multifactor authentication options, is a mobile app that allows you to add a second step of verification to your LastPass account for free (as well as your Gmail and other online accounts). The app generates codes that you enter when prompted to gain access to your LastPass account.

If you’ve been using Google Authenticator as a multifactor authentication with LastPass, you may have recently noticed a warning to update the app. With an error message indicating that the “old” version of Google Auth will no longer be supported, the prompts redirect you to Google Play to install the “new” version. We discovered that Google silently launched version 2 (2.15 to be exact) of Google Authenticator on March 21st – not just an upgrade, but a new app.

If you want to get technical, the new app’s program name is, while the old one was Because version 2 is a new app, and Google appears to be removing the old version from the store, the “update” process is a little more involved. The upgrade prompts will take you to Google Play, where you can install the new version, migrate your tokens, and uninstall the outdated version. If you attempt to install version 2 with version 1 still installed, you’ll see prompts to uninstall the latter.

Google offers the following updates to the app in their changelog:

  • Updated look and feel
  • New entry for Google Play, same great app
  • “Scan barcode” and “Manually add account” options moved to Menu > Add account.

However, these minor changes have prompted some to wonder why a separate app needed to be released for the new version. Some have speculated that Google lost their signing key, prompting them to release a new app under a new package name. Currently there’s no evidence to support this claim; a plausible explanation may be that Google simply wants to integrate Authenticator more tightly with other apps.

To expand on that explanation:

  • The signing key used on the old version of Google Authenticator (SHA1 fingerprint: 24:BB:24:C0:5E:47:E0:AE:FA:68:A5:8A:76:61:79:D9:B6:13:A6:00) is also used to sign: Scoreboard, Goggles, Finance, Google Voice, Shopper, Transalte, Chrometophone, Earth, Reader, and a few others.
  • The signing key used on the new version of Google Authenticator (SHA1 fingerprint: 38:91:8A:45:3D:07:19:93:54:F8:B1:9A:F0:5E:C6:56:2C:ED:57:88) is used to sign: Google Maps, Google Play Store, Gmail, Google+, Google Chrome and Google Music.

It’s important to note that the changes and upgrade process will not affect the current set-up with your LastPass account. If you’ve been using the old version (0.91), you’ll be able to smoothly transition to logging in to LastPass with the codes from the new app.

The changes appear to only affect Android devices, so will not affect those running Google Auth on their iPhone.

The LastPass Team


  • Is it possible to set up my LastPass account so that the Android LastPass app uses Google Authenticator (on the same device) for additional authentication?

    I use YubiKey for PC logins and don’t want to change that. If the mobile LastPass app could invoke Google Authenticator it would prevent someone accessing my LP account on another mobile device. (my phone doesn’t have NFC, so the LP Neo isn’t an option)

    • Amber says:

      Thanks for the comments, we may offer other options in the future but at the moment only one multifactor device can be enabled for an account at a time.

  • Tibi says:

    thank you for the nice update

  • mxx says:

    This might be a bit off topic but it looks like Google is abandoning ChromeToPhone app and migrating to a more generic ChromeToMobile. Chrome Dev 19 has it built-in.

  • John Doe says:

    Still extremely happy LastPass supports this type of extra authentication. I wish more were as security conscious as you guys are!

    Thanks you.

  • Johan says:

    Maybe, next time, specify earlier that this just affects people with xxxxx device (in this case Android) instead of mentioning it in the last line possible :)
    Anyway, thanks for the update!

    (I was unaffected, as you might have surmised ;) )