HELP FILE

Sesame Multifactor Authentication

LastPass users can use an ordinary USB drive as a second form of authentication when logging into their LastPass account. Having a physical second form of authentication will help further ensure that your account will remain safe because both your Master Password and your USB drive are required to log in.

Note: Feature availability may vary depending on your account type.

For LastPass admins, it is recommended that you complete the steps for enabling Multifactor Authentication in the Admin Console.

For LastPass users, you can begin by installing Sesame on your Windows, Mac, or Linux machine, and/or moving the installation to a USB drive to use as a portable security app. Please note that all configurations for enabling, using, and disabling Sesame are done via the Sesame application directly. These changes cannot be made from within your LastPass Vault.

Please note that if you have more than 1 Multifactor Authentication option enabled for your account, you must select your desired default authentication option from the drop-down menu at the bottom of your Multifactor Options window in order to be prompted to authenticate with your preferred option when logging in to LastPass.

Topics in this article:

Set up and configure

Use Sesame Multifactor Authentication

Disable your LastPass account from using Sesame

Remove your LastPass account from Sesame

Disable authentication for a new or lost device

Troubleshooting

Set up and configure

Once you have installed and opened the Sesame application directly on your machine (or optionally, downloaded and moved the app to your USB drive and launched from there), you can begin setting up and configuring Sesame as follows:

  1. Enter your email address and Master Password, then click Login.

  1. In order to authorize adding your LastPass user account to be used in Sesame, access to your email address must be verified. Check your email and click on the verification link, then go back to the Sesame application and click OK to continue the login process. Note: You must click the link in the verification email within 10 minutes of adding your account to Sesame or it will expire.
  2. Once verified, check the box to enable the "Yes, protect me against keyloggers and spyware!" option. Additionally, you can also check to enable your desired protection options. Click OK to log in to Sesame using your LastPass account.

Note for Linux users: The USB device is mounted noexec, which prevents running executables from the drive. To fix, remount the device with the exec flag, for example by “sudo mount -o remount,exec <device> <mountpoint>”.

Use Sesame Multifactor Authentication

Once activated, Sesame will create secure One-Time Passwords (OTP) that are subsequently required to use for login. You can choose from the following combination of options to log in to your LastPass account:

  • Launch browser – Select this option and click Generate One Time Password to pass the OTP value automatically.
  • Copy to clipboard – Select this option and click Generate One Time Password to copy the OTP value to your clipboard so that it can be pasted into the LastPass authentication window, then click Authenticate.

Note: The Copy Offline Password option is the ability to copy an OTP that can be used when attempting to log in to your LastPass account from a device that does not have an internet connection.

Disable your LastPass account from using Sesame

If you no longer want your LastPass account to use Sesame Multifactor Authentication, you must disable its use of your account directly within the Sesame app. These changes cannot be made from within your LastPass Vault.

Note: You must go through these steps of disabling your account from using Sesame BEFORE removing your LastPass account.

  1. Open the Sesame app.
  2. Click to highlight your LastPass email address, then click Edit.
  3. Enter your Master Password, then click Login.
  4. Check the box to enable the "No, disable Sesame" option.
  5. Click OK.

Remove your LastPass account from Sesame

If you want to remove your LastPass account from being stored within the Sesame app, you can do so by removing it.  However, you must disable your LastPass account from using Sesame before you remove your account. This ensures that Sesame authentication is disabled, and that you won't be prompted for an OTP via Sesame in order to log in to your LastPass account.

Note: You must go through the steps above for disabling Sesame BEFORE proceeding to these steps.

  1. Once you have disabled your LastPass account to no longer use Sesame, open the Sesame app.
  2. Click to highlight your LastPass email address, then click Remove.
  3. When prompted, click Yes on the confirmation window.

Disable authentication for a new or lost device

If your phone number has changed or mobile device used for authentication is lost, you can click I've lost my device on the Multifactor Authentication window. Once redirected, you can enter your LastPass email address and click Send Email to be sent an email with a set of instructions on how to disable Multifactor Authentication. If you do not receive an email, you may have a secondary security email enabled where the email was sent instead, and/or check your spam/junk email filters. If you are an Enterprise user, your account may have policies enforced that prevent disabling Multifactor Authentication via email. For these users, please contact your LastPass admin to disable it for you.

Troubleshooting

If you are running Mac OS X 10.11.6 (El Capitan) and encounter an error, "cabundle.pkg error: This package is incompatible with this version of OS X and may fail to install" you may not need to install the cabundle.pkg. However, if Sesame reports that it has trouble connecting to LastPass due to an internet connectivity failure), your CA certificates might be outdated or corrupted. If this occurs, you can install the cabundle.pkg to update them.

The cabundle.pkg must update the certificates in your /usr directory. In Mac OS X 10.11.6 (El Capitan), this directory is protected by a new security feature called "Systems Integrity Protection" (SIP - also known as 'rootless') that prevents applications from changing files in protected systems directories.

For this reason, you will need to disable SIP, install the cabundle.pkg, then re-enable SIP.

To disable SIP on your Mac, do the following:

  1. Boot up in Recovery Mode by restarting your Mac, then holding the CMD + R keys after you hear the startup chime.
  2. When the “OS X Utilities” screen is displayed, select the Utilities menu at the top of the screen, then select Terminal.
  3. Type the following command into the terminal: csrutil disable; reboot
  4. Press Enter on your keyboard.
  5. A message will be displayed that System Integrity Protection has been disabled, and that your Mac needs to restart for changes to take effect. Your Mac will then reboot itself automatically, just let it boot up as normal.

Once you have installed the cabundle.pkg, you will need to re-enable SIP on your Mac, as follows:

  1. Boot up in Recovery Mode by restarting your Mac, then holding the CMD + R keys after you hear the startup chime.
  2. When the “OS X Utilities” screen is displayed, select the Utilities menu at the top of the screen, then select Terminal.
  3. Type the following command into the terminal: csrutil enable
  4. Press Enter on your keyboard.
  5. A message will be displayed that System Integrity Protection has been enabled, and that your Mac needs to restart for changes to take effect. Your Mac will then reboot itself automatically, just let it boot up as normal.