YubiKey is a key-sized device that you can plug into your computer’s USB slot to provide another layer of security when accessing your LastPass Account. YubiKeys are a secure, easy to use, two-factor authentication device that are immune from replay-attacks, man-in-the-middle attacks, and a host of other threat vectors.
YubiKey is a Premium feature, and the device must be purchased through Yubico.com.
Limitations and Compatibility
Up to 5 YubiKeys can be associated with one LastPass account.
YubiKey 4 & YubiKey 4 Nano: works with all major browsers on Windows, Mac, and Linux computers with a USB port.
Update: LastPass add-on on mobile Firefox on Android now supports YubiKey authentication with a USB port (similar to how it works on desktop).
YubiKey NEO: works with all major browsers on Windows, Mac, and Linux computers with a USB port as well as Android devices that are NFC enabled.
See how the YubiKey works in the video below:
Enabling YubiKey with LastPass
- Once you have purchased and received your YubiKey, you can enable the device and manage your preferences by launching your Account Settings > Multifactor Options > YubiKey:
- To add a new YubiKey to your LastPass account, enter the device in your USB port, click in the first empty YubiKey field, and lightly press your YubiKey button that has the wifi icon or the “Y” in the middle.
- After the field is filled, you can specify your YubiKey preferences:
- YubiKey Authentication: Enable or disable your YubiKey multifactor authentication. When enabled, you will be prompted to enter the YubiKey data the next time you login to LastPass.
- Permit Mobile Device Access: Controls whether mobile devices that do not possess USB ports, such as a smartphone, will be allowed to bypass YubiKey multifactor authentication when enabled.
- Permit Offline Access: Controls whether access to your vault will be allowed when you are not connected to the Internet. Allowing offline access to your vault is slightly less secure since YubiKey OTPs can not be validated, and only the static portion of the key is validated.
- Allow: allows users to bypass YubiKey authentication steps on all mobile devices.
- Allow Except Android/Windows Phone: this setting is helpful for users who use LastPass mobile app on multiple operating systems (iOS and Android, for example). It will allow users to bypass YubiKey authentication on iOS devices and prompt for YubiKey on Android.
- Disallow: Android users may use this settings to get prompted for YubiKey to log into their accounts using LastPass Android app AND LastPass add-on on mobile Firefox.
- Toggle “Enabled” to Yes.
- Click Update
To disassociate a YubiKey device with your LastPass account, simply clear the entire input field of all characters and click ‘Update’.
Logging In with YubiKey
Now that you have enabled your YubiKey device, the next time you login to your LastPass account, you will be prompted to enter your YubiKey code. Simply click your LastPass Icon to login as normal, enter your email and Master Password, then submit. However, you will now be asked by LastPass to press your YubiKey device to enter the code:
*Note: The Yubikey’s static portion is used to doubly encrypt your local vault file. This means that while in offline mode, you will only be able to log in with the Yubikey that was used to encypt the current vault file.
Using a VIP YubiKey with LastPass
The VIP enabled YubiKey (http://yubico.com/vip) has two configuration slots. When the VIP enabled YubiKey is shipped, it’s first configuration slot is factory programmed for Symantec VIP credentials and the second configuration slot programmed with a standard Yubico OTP is dormant in the second identity slot and can be activated using the YubiKey Personalization Tool. The two configuration slots of the YubiKey work independently and each can be independently reconfigured into OTP or static password mode.
If you touch and hold the YubiKey button between 1-3 seconds before releasing, the first configuration slot will emit the password (based on slot 1 configuration). And if you touch and hold the YubiKey button about 4-5 seconds before releasing, the second configuration slot will emit the password (based on slot 2 configuration). In case if you happen to touch and hold it longer for more than 5 seconds, the touch button indicator will flash rapidly without emitting any password.
As the second configuration slot of the YubiKey is left blank, you can program it to the YubiKey OTP mode, upload the AES Key to the online validation server and configure it to work with LastPass.
To program the second slot to work with the online Yubico OTP validation server, please follow the steps below:
- First, download and install the latest Cross Platform Personalization Tool for Windows from the Yubico Website at: http://www.yubico.com/products/services-software/personalizationtools/use/ under the section “Cross platform personalization tools”. There are a number of different installers for various operating systems – pick the installer for your operating system.
- Once the Cross-Platform Personalization tool has been installed, insert your VIP YubiKey in a USB port on your computer and launch the YubiKey Personalization Tool.
- In the Cross-Platform Personalization Menu, open the “Settings” menu by clicking on the link “Update Settings” on the main page or the “Settings” option from the menu at the top.
- In the Settings menu, locate the Update Settings button in the lower right corner and click on it.
- The Update YubiKey Settings menu should be displayed. If this is not the case, confirm you
have a VIP YubiKey with a firmware version of 2.3.0 or above.
- Locate the section labelled Configuration Slot and select Configuration Slot 2
- Locate the checkbox labelled Dormant and ensure the box is not checked
Locate the Configuration Protection section, and open the menu labelled “YubiKey(s)
unprotected – Keep it that way”. From this menu, select the option “YubiKey(s) protected –
Keep it that way”.
- This will activate the “Current Access Code” field in the Configuration Protection section. Enter
your VIP YubiKey’s current access code, which will be five 0s followed by the YubiKey’s serial
number in Decimal format, as reported by the Personalization tool.
If your Serial Number is “1234567”, then your Current Access Code will be “00 00 01 23 45 67”
- Press the Button labelled “Update” to activate your VIP YubiKey’s second slot with the Yubico OTP configuration.
Yubico also has a video that describes the steps required for uploading the AES Key. For more information, please visit http://www.yubico.com/aes-key-upload
Using the YubiKey NEO
After you’ve registered the YubiKey with your LastPass account, ensure that mobile access is “disallowed” in your LastPass Icon > My LastPass Vault > Account Settings link > YubiKey tab.
Now you can use the YubiKey NEO when logging in via the LastPass Android app or used as a normal YubiKey on your desktop.
Make sure that the NFC settings are enabled for your Android device. When prompted for the YubiKey, you simply have to place your YubiKey on the back of your phone for a moment.
YubiKey NEO with Windows Phone 8 App
It is a known issue that YubKey NEO does not work with LastPass Windows Phone app. Yubico has confirmed that it is due to the non-industry standard way NFC is implemented on Windows Mobile devices, there could be issues with them successfully reading the YubiKey NEO (due to the fact the NEO emits both the NFC data as well as an RFID identifier, which causes issues with Windows devices).
Table of Contents
- Help Center and FAQs
- Getting Started with LastPass
- Downloading and Installing LastPass
- Using LastPass on Your Mobile Device
- LastPass App for Mac OSX
- Navigating the LastPass Browser Extension
- Your LastPass Vault
- Adding & Filling Sites
- Editing an Existing Site Entry and Editing Form Fields
- Importing Passwords
- Account Settings
- Emergency Access
- Browser Extension Preferences
- Sharing & Share Center
- Secure Notes & Attachments
- Generating Secure Passwords
- Using LastPass to Fill Forms
- Protecting Your Account with Multifactor Authentication
- Filling into Windows Applications
- LastPass Security Challenge
- LastPass Credit Monitoring
- LastPass Command Line Application
- LastPass via USB
- Windows 8 Metro
- Uninstalling & Deleting
- Site Map