Two-factor (or multi-factor) authentication is one of the most reliable ways to secure an account from being hacked. With two-factor authentication enabled, hackers can’t log in to your account, even if they know the password.
LastPass is a utility used to store and remember your login credentials. Using a tool like LastPass makes you more secure by creating long, complex passwords you don’t need to remember, because LastPass remembers them for you.
The most common concern about password vaults is this: what if someone, somehow, gets the master password to your LastPass vault? While extremely unlikely, the cost of failure is pretty high: that person would have access to every account stored in your LastPass vault.
That’s why I recommend adding two-factor authentication to your LastPass account.
Become a Patron of Ask Leo! and go ad-free!
But first, back up
It’s not very likely, but when adding additional security, it’s possible a mis-step along the way could get you locked out of your LastPass account. The folks at LastPass do not have a back door to regain access to your account (should you lose your password, for example), so you’d likely be on your own.
My recommendation is that before enabling two-factor authentication, and especially if you’ve never used two-factor before, back up the contents of your LastPass vault and save it in a secure location.
Actually, my recommendation is to back up your LastPass vault periodically, regardless of whether you use two-factor or not. I back up mine monthly.
Two-factor improves security by adding a factor to identity authentication. In addition to knowing the account ID and password, you also prove you have something specifically associated with your account in your possession. The most common proof is an application, or app, running on your smartphone.
The free version of LastPass supports a number of apps, including Google Authenticator, Authy, Microsoft Authenticator, and LastPass’s own authentication application. The proof typically takes the form of entering a random number generated by the app when requested by LastPass at login time. The advantage is that no connectivity is required. Other forms of proof can include SMS messages or even a simple confirmation prompt from the app.
In addition, so-called “grid” authentication is supported. When set up, you’re given a 10 x 26 grid of random characters which you save. You prove that you are in possession of this grid by entering specific characters from the grid when requested. The advantage here is that you don’t need a phone, smart or otherwise.
We’ll set up a phone-number-based app two-factor, and we’ll also create a grid as a secondary safety net.
Enabling two-factor using an app
In your browser, log in to your LastPass account normally. Open your vault, click on your account name in the upper right, and click on Account Settings.
In account settings, click on the Multifactor Options tab.
On the Google Authenticator line, click on the pencil to the right.
First, change the “Enabled” setting to “Yes.”
Two items under “Enabled,” next to “Barcode”, click on View. You’ll need to re-enter your master password. (You’ll need to re-enter your master password at several steps in this process.)
This prevents someone from just walking up to your logged-in LastPass session and enabling two-factor without your consent.
LastPass will now display a QR Code, which they refer to as a barcode.
Install an app on your phone
What we’ve done so far prepares us to associate our LastPass account with an app installed on a smartphone — specifically the Google Authenticator.
This approach is compatible with other two-factor applications as well. I happen to prefer Authy, as it allows you to transfer the two-factor authentication more easily to another device should you ever replace your phone, or even to multiple devices if you care to.
Whichever application you choose, look for the option to add an account.
The instructions presented will have you “scan a QR code”. Select that option, which uses the phone’s camera. Point the camera at the QR code displayed on your computer by LastPass.
Once the QR code has been scanned, the application will display a seemingly random number for that account.
This number will change every 30 seconds, and is unique to your phone. Your ability to enter this number is what proves you have the phone (your second factor) in your possession.
Complete the association
Return to LastPass on your computer, where it should still be displaying the QR code. Click on Update. You’ll be asked to enter the code displayed on your two-factor device to confirm that everything is set up properly.
Once you do so, two-factor authentication is enabled for your LastPass account.
Create a grid as backup
If you lose your phone, you’ll have lost your second factor. One of the easiest ways to prepare for that is to create an alternative second factor you can use in its place.
Back on the Multifactor Options page in LastPass, click on the pencil at the far right of the Grid line.
As before, make sure that “Enabled” is set to Yes.
Click on the View and print link on the Grid line to see your grid in a new browser tab.
Save this image somewhere secure, and/or print it out and save the printout somewhere secure. If you plan to use the grid as your primary two-factor authentication mechanism, you may want to keep a copy in your wallet.
Click Update to enable grid two-factor authentication.
Set a default two-factor mechanism
With two (or more) options for two-factor authentication, we need to specify which is to be used by default, with the other remaining as an available backup should we need it.
At the bottom of the Multifactor Options screen is a setting: Default Multifactor Option. If you’ve followed along above, I recommend setting that to Google Authenticator.
Close the options window and you’re done.
Using LastPass two-factor authentication
The next time you log in to LastPass, you’ll be presented with an additional dialog after you enter your master password.
Enter the code currently displayed by the authenticator app on your phone to prove you have the phone — your second factor — in your possession.
Before you click on Authenticate, you can check “Trust this computer for 30 days”. This removes the two-factor requirement from this computer for this account for that time period. This means you don’t have to have your second factor every time you log in during that time period.
If this is a computer at home, and you can trust that others won’t log in as you, this is a reasonable setting, and is what I set myself. On the other hand, on a device with which I travel, such as my laptop, I do not check it.
If you don’t have your phone, or you’ve lost it, click on I’ve lost my Google Authenticator device. You’ll be emailed a link that will disable Google two-factor authentication on the account. (See note below.) Since we also set up grid two-factor authentication, your account remains protected. The next time you log in, it will now ask for grid data instead.
Once you’ve logged in successfully, you can return to the Multifactor Authentication settings and associate a new device, or turn off two-factor completely (though hopefully only as a temporary measure).
Chicken versus egg?
If you can’t log in to your email because the password is in LastPass, and you can’t log in to LastPass because you’ve lost your second factor, things get sticky. Instructions are to email support at LastPass for additional assistance. I reached out for clarification and received two pieces of interesting information:
- You may still be able to log in to your local copy of LastPass in “offline mode”. You can do this on any device you’d previously logged in on, as long as you have the correct master password, by disconnecting your computer from the internet. This simply uses the contents of your vault already on your computer, downloaded from that previous online login. If that works, you can then log in to your email normally. I’d also recommend backing up your vault right away if you hadn’t already, just in case.
- LastPass support can also disable the second-factor requirement from their end, but to do so, they need to verify that you are who you say you are. They do that by asking a series of questions relating to you, your LastPass account, and your recent activity in LastPass. You can see the list of questions asked here: LastPass Identity Verification. Needless to say, the barrier should be high so as to prevent someone from attempting to impersonate you. They can’t (or shouldn’t) reveal how much of the information you need to provide correctly, but the more you can provide, the better.
And as a final reminder: LastPass support does not know and cannot recover your master password. There are no back doors. If you forget your master password, you’ve lost the contents of your LastPass vault.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Download (right-click, Save-As) (Duration: 8:26 — 7.8MB)
18 comments on “Enable Two-Factor Authentication in LastPass”
I notice you recommended Google Authenticator and Grid, but didn’t mention LastPass Authenticator. Any reason why?
Also, how can you take advantage of these tools on other website? I figured out how to use Dropbox with LastPass Authenticator, but can’t figure it out for my bank or other places.
LastPass authenticator is good, as is Authy. They’re both the equivalent of Google Authenticator, and use the same technology.
You can only use two-factor on sites that support it. So you’d have to ask your bank.
Hi, I’m not very computer savvy, so could you please explain how to Back-Up my vault? Thank you.
Please read the article you are commenting on as it has details on that.
This article from the Read More section explains how to do that:
I just looked at that article and found that LastPass has changed the backup steps since that article was written. These are the steps:
Click on the LastPass icon.
Select “More options” from the pulldown.
Click “Advanced” from the resulting pulldown
Click “LastPass CSV” file
Follow the instructions from there
I am a retired software engineer with degrees in systems engineering and electrical engineering. I developed software for cell phones and base stations, so I am not exactly naive about computers and such. I have used smart phones while I had to deal with people and situations. Lately, I just don’t want the expense and the bother. I use a dumb phone when I am away from home just for calls and occasionally to receive a text message. I rely on my home computer at home, or my laptop when I am traveling. This is why I have not taken advantage of two-factor authorization. It assumes that one is using a smart phone. I am sure that I am not the only one.
The nearest to a solution for me is what you glossed over, “The Grid”. Since you did not elaborate on its usage and possible negative aspects, I will look into it. Thanks for pointing it out.
If you can get a text on your phone then you can use two factor since the codes are mostly send through text messages.
LastPass actually has several alternatives to using Google Authenticator — I simply focused on it as being the most popular and flexible for most people. Definitely check out the Lastpass site for more info.
Authy has an App that you can install on a desktop / laptop computer – I switched from Google Authenticator to Authy as I found it more user friendly and has it’s own passcode – hope that helps
I tried using LastPass but my bank requires a password to sign on, and another to do transactions. Lastpass won’t allow 2 or more passwords at once, so I have had to delete it.
That’s no reason to delete LastPass. It will work for many other sites. And for your bank site you can use it for a secure notepad where you can keep your passwords in case you need to look them up. Also, if the two passwords are used in different places on the bank’s website I think you will find that LastPass can handle it.
Rather than deleting it, how about using it just for the other sites with which it does work?
Just last week, I received an email from LastPass to that regard and I very quickly obliged. Now that I have two-factor authentication all setup for LastPass, I feel more secure. But, what I didn’t know is that one can actually backup one’s LastPass vault. I found that totally amazing and really interesting.
A great many thanks Leo for doing what you are doind: “Making technology work for everyone”. I always find something new to learn every time I read one of your helpful articles.
Currently, LastPass Authentiator is enabled, and when entering master password, there is a button “Send code with SMS” in the dialog of Authentiator, code is received by SMS to smart phone, so we are authenticated by SMS.
Leo says that SMS authentication is excellent, should you use Google authentication?
There is a vulnerability in using SMS authentication, (see linked article). So there is an advantage to using Authy, Google Authenticator or the Last Pass Authenticator app.
Hi Leo & Guys,
Is the SESAME 2FA a good option for LASTPASS ? I work between my 8 year old Mac computer & Samsung Tablet. I don’t work on my Samsung phone much — but the option is there. I thought of using Sesame for the Mac & the Grid for my Tablet. I am 77 years old so no where in your league, & where I live in South Australia we we cannot always get hold of the latest Tech. If you could help I would be very grateful. Sincere Thanks. Norm Bloom.
If it’s supported by LastPass I would consider it good, though it’s not something I’ve used myself. This post comparing it to YubiKey might help identify some of the differences with other techniques: https://lastpass.com/support.php?cmd=showfaq&id=1336