A YubiKey is a key-sized device that you can plug into your computer’s USB slot to provide another layer of security when accessing your LastPass Account. YubiKeys are a secure, easy to use, two-factor authentication device that are immune from replay-attacks, man-in-the-middle attacks, and a host of other threat vectors.
Up to 5 YubiKeys* can be associated with one LastPass account.
Adding Your YubiKey
Once you have purchased and received your YubiKey, you can enable the device and manage your preferences by launching your Account Settings and clicking on the ‘YubiKeys’ tab:
To add a new YubiKey to your LastPass account, enter the device in your USB port, click in the first empty YubiKey field, and lightly press your YubiKey on the grooved circle. You will need to enter your LastPass Master Password to save any updates you have made to your YubiKey settings.
After the field is filled, you can specify your YubiKey preferences:
YubiKey Authentication: Enable or disable your YubiKey multifactor authentication. When enabled, you will be prompted to enter the YubiKey data the next time you login to LastPass.
Permit Mobile Device Access: Controls whether mobile devices that do not possess USB ports, such as a smartphone, will be allowed to bypass YubiKey multifactor authentication when enabled.
Permit Offline Access: Controls whether access to your vault will be allowed when you are not connected to the Internet. Allowing offline access to your vault is slightly less secure since YubiKey OTPs can not be validated, and only the static portion of the key is validated.
To begin using your YubiKey, be sure that the ‘YubiKey Authentication’ field is marked as ‘Enabled’.
To save changes to your YubiKey preferences, click ‘Update’ before exiting the Account Settings dialog.
To disassociate a YubiKey device with your LastPass account, simply clear the entire input field of all characters and click ‘Update’.
Logging In with YubiKey
Now that you have enabled your YubiKey device, the next time you login to your LastPass account, you will be prompted to enter your YubiKey code. Simply click your LastPass Icon to login as normal, enter your email and Master Password, then submit. However, you will now be asked by LastPass to press your YubiKey device to enter the code:
Using a VIP YubiKey with LastPass
The VIP enabled YubiKey (http://yubico.com/vip) has two configuration slots. When the VIP enabled YubiKey is shipped, it’s first configuration slot is factory programmed for Symantec VIP credentials and the second configuration slot programmed with a standard Yubico OTP is dormant in the second identity slot and can be activated using the YubiKey Personalization Tool. The two configuration slots of the YubiKey work independently and each can be independently reconfigured into OTP or static password mode.
If you touch and hold the YubiKey button between 1-3 seconds before releasing, the first configuration slot will emit the password (based on slot 1 configuration). And if you touch and hold the YubiKey button about 4-5 seconds before releasing, the second configuration slot will emit the password (based on slot 2 configuration). In case if you happen to touch and hold it longer for more than 5 seconds, the touch button indicator will flash rapidly without emitting any password.
As the second configuration slot of the YubiKey is left blank, you can program it to the YubiKey OTP mode, upload the AES Key to the online validation server and configure it to work with LastPass.
To program the second slot to work with the online Yubico OTP validation server, please follow the steps below:
- First, download and install the latest Cross Platform Personalization Tool for Windows from the Yubico Website at: http://www.yubico.com/products/services-software/personalizationtools/use/ under the section “Cross platform personalization tools”. There are a number of different installers for various operating systems – pick the installer for your operating system.
- Once the Cross-Platform Personalization tool has been installed, insert your VIP YubiKey in a USB port on your computer and launch the YubiKey Personalization Tool.
- In the Cross-Platform Personalization Menu, open the “Settings” menu by clicking on the link “Update Settings” on the main page or the “Settings” option from the menu at the top.
- In the Settings menu, locate the Update Settings button in the lower right corner and click on it.
- The Update YubiKey Settings menu should be displayed. If this is not the case, confirm you
have a VIP YubiKey with a firmware version of 2.3.0 or above.
- Locate the section labelled Configuration Slot and select Configuration Slot 2
- Locate the checkbox labelled Dormant and ensure the box is not checked
Locate the Configuration Protection section, and open the menu labelled “YubiKey(s)
unprotected – Keep it that way”. From this menu, select the option “YubiKey(s) protected –
Keep it that way”.
- This will activate the “Current Access Code” field in the Configuration Protection section. Enter
your VIP YubiKey’s current access code, which will be five 0s followed by the YubiKey’s serial
number in Decimal format, as reported by the Personalization tool.
If your Serial Number is “1234567”, then your Current Access Code will be “00 00 01 23 45 67”
- Press the Button labelled “Update” to activate your VIP YubiKey’s second slot with the Yubico OTP configuration.
Yubico also has a video that describes the steps required for uploading the AES Key. For more information, please visit the link below:
Video Tutorial for Using LastPass with YubiKey
How to use LastPass with YubiKey NEO
After you’ve registered the YubiKey with your LastPass account, ensure that mobile access is “disallowed” in your LastPass Icon > My LastPass Vault > Account Settings link > YubiKey tab.
Now you can use the YubiKey NEO when logging in via the LastPass Android app or used as a normal YubiKey on your desktop.
Make sure that the NFC settings are enabled for your Android device. When prompted for the Yubikey, you simply have to place your Yubikey on the back of your phone for a moment.