YubiKey Multifactor Authentication
YubiKey is a key-sized device that you can plug into your computer’s USB slot or scan using an NFC-enabled mobile device to provide an additional layer of security when accessing your LastPass Account. YubiKeys are a secure, easy to use, Two-Factor Authentication device that are immune from replay-attacks, man-in-the-middle attacks, and a host of other threat vectors. Please note that YubiKey is a paid account feature, and the device must be purchased through Yubico.com.
For LastPass admins, it is recommended that you complete the steps for enabling Multifactor Authentication in the Admin Console.
For LastPass users, it is required that you follow all steps in Enable Multifactor Authentication (Users) before proceeding.
Please note that if you have more than 1 Multifactor Authentication option enabled for your account, you must select your desired default authentication option from the drop-down menu at the bottom of your Multifactor Options window in order to be prompted to authenticate with your preferred option when logging in to LastPass.
Topics in this article:
- Up to 5 YubiKeys can be associated with each LastPass account.
- YubiKey works with all major web browsers on Windows, Mac, and Linux computers equipped with a USB port.
- YubiKey NEO works with all major web browsers on Windows, Mac, and Linux computers equipped with a USB port, as well as iOS and Android devices that are NFC-enabled.
Not sure which YubiKey you have? You can identify your YubiKey to help you understand the ways you can use it to authenticate.
Once you have purchased and received your Yubikey, click the Edit icon for Yubico then finish the set up process as follows:
- Plug your YubiKey device into the USB port of your computer.
- Click within the YubiKey #1 field
- Lightly press your Yubikey device button (that has the Wi-Fi icon or "Y" in the center) to automatically fill in the YubiKey #1 field.
- Once filled, you can specify your YubiKey preferences as follows:
- For the "Enabled" option, use the drop-down menu to select Yes. Once enabled, you will be prompted to enter the YubiKey data the next time you log in to LastPass from your iOS or Android device, or from your desktop.
- For the "Permit access from incompatible mobile devices" option, this controls whether mobile devices that are not equipped with an NFC reader will be allowed to bypass YubiKey Multifactor Authentication when enabled. The following settings only apply to LastPass accounts who utilize iPhone 6S or older running iOS 10 or earlier, and select Android devices, which lack an NFC reader. Use the drop-down menu to select from the following options:
- Select Allow if you want to use older mobile devices to access the LastPass mobile app.
Note: When selecting this option, you are required to set up and enable at least 1 additional Multifactor Authentication option so that when you access LastPass from a mobile device lacking an NFC reader, you can still authenticate by using your other enabled Multifactor Authentication option when prompted.
- Select Disallow if you want to prohibit access from older mobile devices to the LastPass mobile app (due to being unable to authenticate with YubiKey).
- Select Allow if you want to use older mobile devices to access the LastPass mobile app.
- For the "Permit Offline Access" option, use the drop-down menu to choose from the following:
- Select Allow if you wish to allow access to YubiKey even when you are offline. This will store an encrypted Vault locally so you can log in without using Multifactor Authentication in case of a connectivity issue.
- Select Disallow to prevent offline access, which requires the use of Multifactor Authentication and to be connected to the internet when using YubiKey Authentication.
- Click Update when finished.
To disassociate a YubiKey device with your LastPass account, clear the entire YubiKey input field of all characters and click Update.
Now that you have enabled your YubiKey device, the next time you log in to your LastPass account, you will be prompted to press your YubiKey device to enter the code.
- Log in to LastPass.
- Insert your YubiKey device into the USB port of your computer.
- When prompted with the YubiKey Multifactor Authentication window in LastPass, wait until your YubiKey touch-button shines with a stead light, then hold your fingertip on the touch-button for 1 second to authenticate.
- If desired, check the box to enable the option, "Trust this computer for 30 days" and provide a computer name, then click Authenticate. Learn more about managing your trusted devices.
Now that you have enabled your YubiKey device, the next time you log in to your LastPass account, you will be prompted to hold your YubiKey up to the NFC reader of your mobile device to authenticate, as follows:
- Log in to the LastPass mobile app for iOS or Android.
- When the Yubico screen is displayed, you can toggle to enable the option, "Trust this device" so that LastPass doesn't prompt you to authenticate for 30 days (learn more about trusted mobile devices). Otherwise, tap Next.
- When prompted by the "Ready to Scan" screen, hold your YubiKey up to the NFC reader on the back of your mobile device to authenticate.
- Once authenticated, you will be logged in to the LastPass mobile app.
Having trouble with YubiKey on your iOS device?
If you're encountering issues with setting up or using YubiKey NEO to authenticate your LastPass account on your iOS device, please verify the following:
- You are using a YubiKey NEO which can be used with USB-A ports and an NFC reader. You can identify your YubiKey to ensure you are using YubiKey NEO.
- You are using an iPhone 7 or newer and running iOS 11 or later.
- The YubiKey NEO's NDEF tag is correctly configured using the YubiKey Personalization Tool.
- Your YubiKey and/or mobile device's NFC reader is working properly – you can test this by downloading an NFC reading app for iOS or Android and scanning your YubiKey.
- If your YubiKey cannot be recognized on either an iOS or Android device, the issue may be with the YubiKey itself. Check your YubiKey configuration settings and be sure that the NFC reader on your mobile device is enabled. You can also check your YubiKey's warranty.
- If your YubiKey cannot be recognized on your iOS device but can be recognized on Android, the issue may be with the NFC reader within your iOS device. Check your settings to be sure that the NFC reader on your iOS device is enabled, or contact your device manufacturer for more information.
- You have a valid YubiCloud credential configured on the NEO by testing at https://demo.yubico.com.
The VIP enabled YubiKey ( http://yubico.com/vip) has two configuration slots. When the VIP enabled YubiKey is shipped, its first configuration slot is factory programmed for Symantec VIP credentials. The second configuration slot is programmed with a standard Yubico OTP that is dormant in the second identity slot, and can be activated using the YubiKey Personalization Tool. The two configuration slots of the YubiKey work independently, and each can be independently reconfigured into OTP or static password mode.
If you touch and hold the YubiKey touch-button between 1-3 seconds before releasing, the first configuration slot will emit the password (based on slot 1 configuration). If you touch and hold the YubiKey button about 4-5 seconds before releasing, the second configuration slot will emit the password (based on slot 2 configuration). In case if you happen to touch and hold it longer for more than 5 seconds, the touch-button indicator will flash rapidly without emitting any password.
As the second configuration slot of the YubiKey is left blank, you can program it to the YubiKey OTP mode, upload the AES Key to the online validation server and configure it to work with LastPass.
To program the second slot to work with the online Yubico OTP validation server, please follow the steps below:
- First, download and install the latest Cross Platform Personalization Tool for Windows from the Yubico Website at: http://www.yubico.com/products/services-software/personalizationtools/use/ under the section “Cross platform personalization tools”. There are a number of different installers for various operating systems – pick the installer for your operating system.
- Once the Cross-Platform Personalization tool has been installed, insert your VIP YubiKey in a USB port on your computer and launch the YubiKey Personalization Tool.
- In the Cross-Platform Personalization Menu, open the Settings menu by clicking on the Update Settings hyperlink on the main page or the Settings option from the menu at the top.
- In the Settings menu, click Update Settings in the lower right corner.
- The Update YubiKey Settings menu should be displayed. If this is not the case, confirm you have a VIP YubiKey with a firmware version of 2.3.0 or later.
- Locate the "Configuration Slot" section and select Configuration Slot 2.
- Locate the option "Dormant" and ensure the box is not checked.
- Locate the "Configuration Protection" section, and open the menu “YubiKey(s) unprotected – Keep it that way”.
- From this menu, select the option YubiKey(s) protected – Keep it that way.
- This will activate the Current Access Code field in the "Configuration Protection" section.
- Enter your VIP YubiKey’s current access code, which will be 00000 followed by the YubiKey’s serial number (in Decimal format) as reported by the Personalization tool.
- If your Serial Number is “1234567”, then your Current Access Code will be “00 00 01 23 45 67”
- Click Update to activate your VIP YubiKey’s second slot with the Yubico OTP configuration.
Yubico also has a video that describes the steps required for uploading the AES Key. For more information, please visit http://www.yubico.com/aes-key-upload.