Two-Factor Authentication: What It Is & Why You Need It

Using two-factor authentication is one of the best ways to keep your data safe and add even more security to your LastPass account. That’s why we offer our users over 15 options so you can choose one that fits your set-up and workflow.

Let’s take a look at what two-factor authentication is, how to choose from the options available, and what to expect once you turn it on.

What Two-Factor Authentication Is

Two-factor (or multifactor) authentication is a feature that asks you for more than just your username and password when you log in. It requires something you know (your master password), plus something you have (like your phone or a token) or something you are (like your fingerprint).

You have to provide that second piece of information – whether it’s a code, or a temporary password, or the swipe of a finger – before the account can be accessed. If the correct information isn’t provided, the account remains locked.

That way, even if someone obtained your master password,  they’d be blocked from getting into the account when they’re asked for the two-factor authentication. It’s the single most important security step you can take to protect your LastPass account.

How to Choose a Two-Factor Authentication

As of today, LastPass integrates with 15 different two-factor authentication services, and we continue to add more. It’s always been important to us to provide a range of options, and to work with the best vendors out there. This allows you to choose the option that fits with your workflow, devices, and security needs. Many are included with the basic LastPass service, while others require LastPass Premium or LastPass Enterprise.

LastPass integrates with different types of two-factor authentication services, including smartphone-based apps, software-based services, and hardware tokens.

Smartphone Apps

  • Google Authenticator (Free): Utilizes a free Google app, available for Android, iOS, and BlackBerry, which will generate a code every 60 seconds that you will type in when prompted.
  • Microsoft Authenticator (Free): Like Google Authenticator, generates codes every 60 seconds. Available for Windows Phone 7 and 8.
  • Transakt (Free): A mobile app that allows you to authenticate by responding to an Accept or Reject prompt via your mobile device.
  • Duo Security (Free): A mobile app for Android, iPhone, BlackBerry, and Windows Phone, where “push notifications” are sent after you attempt to login, allowing you to accept or decline via your smartphone. Or, use the SMS text option to send codes in batches.
  • Authy (Free): Like Google Authenticator, generates one-time codes every 30 seconds. Available for Android, iOS, and more.
  • Mobile Fingerprint Reader (Premium): Support on the LastPass Premium iOS and Android apps, allowing users to unlock the app with their fingerprints. This isn’t a true second-factor but it allows users to add another security step when logging in to LastPass on mobile devices.
  • Salesforce# Authenticator (Enterprise): Utilizes the Salesforce Authenticator app, for Android and iOS, that generates one-time codes.
  • Symantec VIP (Enterprise): The Symantec “VIP Access” app generates 6-digit, one-time password codes every 30 seconds.

Software-Based Services

  • LastPass Grid (Free): A unique, generated spreadsheet of random values that resembles a Battleship grid, each section containing a different letter or number. Once enabled, you’ll be prompted to find and enter four values from the spreadsheet.
  • LastPass Sesame (Premium): Generates unique One Time Passwords (OTPs) each time you login. The feature can be run from a USB thumb drive, and you have the choice to copy the OTP to the clipboard or launch the browser and pass the value automatically.
  • Fingerprint Reader (Premium): LastPass has support for any fingerprint reader supporting Windows Biometric Framework (WBF).
  • SmartCard Reader (Premium): LastPass has beta support for SmartCard readers.

Hardware Tokens

  • YubiKey (Premium): A key-sized device that plugs into your computer’s USB slot, and generates a unique, One Time Password when it’s pressed. YubiKeys are immune from replay-attacks, man-in-the-middle attacks, and other threats. The key can be purchased from Yubico and bundled at a discounted rate with LastPass Premium. No batteries, waterproof, and crush safe. It also adds more encryption to your LastPass account.
  • RSA SecurID (Enterprise): The LastPass Enterprise user will be prompted first for their LastPass Master Password, and then for their RSA SecurID passcode.

Note: We also support Toopher but they’re no longer accepting new users, so this option is only available to existing users.

Logging In to LastPass with Two-Factor Authentication

Once you’ve decided on the two-factor authentication option you want to use, you can enable it in your LastPass Account Settings, under the Multifactor Options menu.

The next time you login to LastPass, you’ll be prompted to provide your two-factor authentication information, whether it’s a one-time code, an approval swipe on your phone, or your fingerprint.

If you’re on a computer where you login a lot, you can mark that computer as “trusted”. That lets LastPass know you don’t want to be asked to go through the two-factor authentication step on that particular computer. Next time you login you won’t be prompted but your account itself will still be protected.

Start Today!

Turning on two-factor authentication takes less than two minutes. And the extra second it takes you to login to your account is worth the peace of mind. You’ll beef up the security of your LastPass account and keep it safe from anyone trying to remotely break into your account. And don’t forget, lots of other web services let you use two-factor authentication, like PayPal, Slack, Gmail, Twitter, Facebook, Dropbox, Evernote, and many banks. Be sure to turn it on everywhere you can to keep your data and your identity safe.

 

9 Comments

  • John Parker says:

    Yes, it is a good idea, but what are the negatives? I often travel and sometimes need to get access to the account. I do not always remember to bring my personal phone, and have also had it crap out on me. What then? If a phone goes bad and I can no longer access my LastPass info what are the options?

  • Ryan says:

    Any chance you’ll enable U2F keys at some point? It would be nice to have a cheaper option that also works with my Google accounts.

  • Steve Mills says:

    Can we not just use a personal second verification like “What’s your favourite car/movie etc?

    • Matt says:

      Not particularly secure though is it and easily gamed through social engineering. 2FA works on the concept of something you know (password) and something you have (yubikey/authenticator app/grid etc). What you are suggesting is something you know (password) and something else you know but that someone else might also know (favourite food, mothers maiden name etc).

    • Anonymous says:

      delete

  • Shane Goodman says:

    I wish Symantec VIP was available for Premium users.

  • Simon says:

    I am surprised there is no mention of FreeOTP for iOS and Android, written by Red Hat. It’s a free and open source implementation of Google Authenticator, and has a much better interface IMO. It’s what I use for my Lastpass OTP.

    • Brian says:

      How do you configure FreeOTP to work with Lastpass? When I look at my settings for Lastpass, I don’t see FreeOTP as an option.

      • Juan says:

        I use FreeOTP too, and works like a charm.
        Brian, you need to follow the same process as if it were for Google Authenticator.
        Choose the Google Authenticator option on your Lastpass configuration and click on the link to ‘View’ your QR code on a PC, then simply open FreeOTP in your phone and scan the QR code with the camera (FreeOTP has an icon at the top to scan QR with the camera), once the QR code is recognised (usually fast) an option to generate two-factor authentication codes for Lastpass every 30 seconds will be added and configured automatically in the app.
        You can later edit the icon in the interface if you want ;)
        I’ve tried FreeOTP for other services (Dropbox, Facebook, Google etc) and it works without issues too.