Tip: Protect Your LastPass Account with Two-Factor Authentication

With news of a recent LastPass breach triggering the typical Chicken Little theatrics, it’s worth remembering that you can easily secure your LastPass account by enabling two-factor authentication. And if you’re already using this method to protect your Microsoft (or Google, or whatever) accounts—and you should be—you’ll be delighted to discover it works exactly the same way with LastPass.

I do use and recommend LastPass. But the one major criticism I’ve seen about this and other cross-platform password managers is that they create a single point of attack for hackers. Should someone compromise your LastPass account, after all, they will gain access to all of your online accounts, which could lead to identity theft not to mention very real financial theft.

Fair enough. And by default, LastPass is like any other online account: you provide an account name (email address) and password and are granted access to your vault, which contains all of your stored accounts and related passwords. LastPass refers to your LastPass password as your “master password,” because it is, and the assumption here is that you will thus provide it with a longer, more complex and unique password than you provide for other accounts.

But many people don’t do this. And while the recently reported breach didn’t actually compromise any user vaults—they’re encrypted—what we should be worried about as individuals isn’t so much general security at LastPass, which is known to be excellent, but rather the security of our own accounts. Which is often not that excellent.

Back in March, I explained part of the solution to this dilemma in Tip: Protect Your Online Accounts with Two-Factor Authentication: you can and should configure all of your accounts with two-factor authentication—or, more generally, “multi-factor authentication”—a security measure that will prevent hackers from access these accounts, even if they have your user name and password.

Two-factor authentication combines two “factors” to ensure you are who you say you are: something you know (your password) and something you have. That latter bit could be a smart card (like YubiKey) or finger reader, as we see in some enterprises. But it’s far more common for individuals to use their smart phone and an associated authenticator app, which generates ever-changing codes for the second factor. To access your account, you will need both your password (which you know) and the security key (which you have with you, on your phone).

If you use an Android handset or an iPhone, grab the Google Authenticator app. On Windows Phone, you will use the Microsoft Authenticator app. They work virtually identically. You should obviously enable at least a PIN code on your phone, and you should consider setting an aggressive timeout as well. (And on the PCs on which you are using LastPass, you should likewise have similarly aggressive password policies in place as well. Remember: your laziness is the weakest link in the security chain.)

To configure two-factor authentication for LastPass, sign-in to the service on the web and navigate to Account Settings and then Multifactor Options. Select the Google Authenticator option (yes, even for Windows Phone) and change Enabled to Yes. Then, when you click Update, you can configure the account in your phone-based Authenticator app using the supplied barcode.

Two-factor authentication works with LastPass as it does with your other online accounts: when you need to sign-in to the account, you will need to provide your password and the Authenticator-generated security code. Yes, you can configure LastPass to not prompt you for either. Do not do that.

With a Microsoft account (and other online accounts like Google), you can configure alternatives to the Authenticator code so that you can still get into your account if your smart phone isn’t handy. For example, you can send codes via text message to other smart phones, get an automated phone call to any number where a code is read to you, and so on.

But LastPass doesn’t offer an alternative when you configure two-step authentication. (And if you do see a way to add one, please let me know.) Instead, you can disable two-step authentication on the fly, with LastPass sending an email to the address tied to your account.

Also, be sure to take LastPass’s Security Challenge: the service will analyze all of the passwords in your stored accounts and let you know how good those passwords really are. The results may be somewhat sobering, but remember that one of the best features of LastPass is that it generates complex passwords. Maybe you could look at doing so, as you almost certainly have a number of weak and reused passwords. I certainly did, and the Security Challenge offered to change them all for me with just a single click. Nice.

Let me know if I’m missing anything important. Account security is becoming more and more important in this ever-connected world, and while we will one day soon perhaps be free of passwords, for now this is something we have to deal with. So it’s important to get it right.