Two-factor (or multi-factor) authentication is one of the most reliable ways to secure an account from being hacked. With two-factor authentication enabled, hackers can’t log in to your account, even if they know the password.
LastPass is a utility used to store and remember your login credentials. Using a tool like LastPass makes you more secure by creating long, complex passwords you don’t need to remember, because LastPass remembers them for you.
The most common concern about password vaults is this: what if someone, somehow, gets the master password to your LastPass vault? While extremely unlikely, the cost of failure is pretty high: that person would have access to every account stored in your LastPass vault.
That’s why I recommend adding two-factor authentication to your LastPass account.
Become a Patron of Ask Leo! and go ad-free!
But first, back up
It’s not very likely, but when adding additional security, it’s possible a mis-step along the way could get you locked out of your LastPass account. The folks at LastPass do not have a back door to regain access to your account (should you lose your password, for example), so you’d likely be on your own.
My recommendation is that before enabling two-factor authentication, and especially if you’ve never used two-factor before, back up the contents of your LastPass vault and save it in a secure location.
Actually, my recommendation is to back up your LastPass vault periodically, regardless of whether you use two-factor or not. I back up mine monthly.
Two-factor improves security by adding a factor to identity authentication. In addition to knowing the account ID and password, you also prove you have something specifically associated with your account in your possession. The most common proof is an application, or app, running on your smartphone.
The free version of LastPass supports a number of apps, including Google Authenticator, Authy, Microsoft Authenticator, and LastPass’s own authentication application. The proof typically takes the form of entering a random number generated by the app when requested by LastPass at login time. The advantage is that no connectivity is required. Other forms of proof can include SMS messages or even a simple confirmation prompt from the app.
In addition, so-called “grid” authentication is supported. When set up, you’re given a 10 x 26 grid of random characters which you save. You prove that you are in possession of this grid by entering specific characters from the grid when requested. The advantage here is that you don’t need a phone, smart or otherwise.
We’ll set up a phone-number-based app two-factor, and we’ll also create a grid as a secondary safety net.
Enabling two-factor using an app
In your browser, log in to your LastPass account normally. Open your vault, click on your account name in the upper right, and click on Account Settings.
In account settings, click on the Multifactor Options tab.
On the Google Authenticator line, click on the pencil to the right.
First, change the “Enabled” setting to “Yes.”
Two items under “Enabled,” next to “Barcode”, click on View. You’ll need to re-enter your master password. (You’ll need to re-enter your master password at several steps in this process.)
This prevents someone from just walking up to your logged-in LastPass session and enabling two-factor without your consent.
LastPass will now display a QR Code, which they refer to as a barcode.
Install an app on your phone
What we’ve done so far prepares us to associate our LastPass account with an app installed on a smartphone — specifically the Google Authenticator.
This approach is compatible with other two-factor applications as well. I happen to prefer Authy, as it allows you to transfer the two-factor authentication more easily to another device should you ever replace your phone, or even to multiple devices if you care to.
Whichever application you choose, look for the option to add an account.
The instructions presented will have you “scan a QR code”. Select that option, which uses the phone’s camera. Point the camera at the QR code displayed on your computer by LastPass.
Once the QR code has been scanned, the application will display a seemingly random number for that account.
This number will change every 30 seconds, and is unique to your phone. Your ability to enter this number is what proves you have the phone (your second factor) in your possession.
Complete the association
Return to LastPass on your computer, where it should still be displaying the QR code. Click on Update. You’ll be asked to enter the code displayed on your two-factor device to confirm that everything is set up properly.
Once you do so, two-factor authentication is enabled for your LastPass account.
Create a grid as backup
If you lose your phone, you’ll have lost your second factor. One of the easiest ways to prepare for that is to create an alternative second factor you can use in its place.
Back on the Multifactor Options page in LastPass, click on the pencil at the far right of the Grid line.
As before, make sure that “Enabled” is set to Yes.
Click on the View and print link on the Grid line to see your grid in a new browser tab.
Save this image somewhere secure, and/or print it out and save the printout somewhere secure. If you plan to use the grid as your primary two-factor authentication mechanism, you may want to keep a copy in your wallet.
Click Update to enable grid two-factor authentication.
Set a default two-factor mechanism
With two (or more) options for two-factor authentication, we need to specify which is to be used by default, with the other remaining as an available backup should we need it.
At the bottom of the Multifactor Options screen is a setting: Default Multifactor Option. If you’ve followed along above, I recommend setting that to Google Authenticator.
Close the options window and you’re done.
Using LastPass two-factor authentication
The next time you log in to LastPass, you’ll be presented with an additional dialog after you enter your master password.
Enter the code currently displayed by the authenticator app on your phone to prove you have the phone — your second factor — in your possession.
Before you click on Authenticate, you can check “Trust this computer for 30 days”. This removes the two-factor requirement from this computer for this account for that time period. This means you don’t have to have your second factor every time you log in during that time period.
If this is a computer at home, and you can trust that others won’t log in as you, this is a reasonable setting, and is what I set myself. On the other hand, on a device with which I travel, such as my laptop, I do not check it.
If you don’t have your phone, or you’ve lost it, click on I’ve lost my Google Authenticator device. You’ll be emailed a link that will disable Google two-factor authentication on the account. (See note below.) Since we also set up grid two-factor authentication, your account remains protected. The next time you log in, it will now ask for grid data instead.
Once you’ve logged in successfully, you can return to the Multifactor Authentication settings and associate a new device, or turn off two-factor completely (though hopefully only as a temporary measure).
Chicken versus egg?
If you can’t log in to your email because the password is in LastPass, and you can’t log in to LastPass because you’ve lost your second factor, things get sticky. Instructions are to email support at LastPass for additional assistance. I reached out for clarification and received two pieces of interesting information:
- You may still be able to log in to your local copy of LastPass in “offline mode”. You can do this on any device you’d previously logged in on, as long as you have the correct master password, by disconnecting your computer from the internet. This simply uses the contents of your vault already on your computer, downloaded from that previous online login. If that works, you can then log in to your email normally. I’d also recommend backing up your vault right away if you hadn’t already, just in case.
- LastPass support can also disable the second-factor requirement from their end, but to do so, they need to verify that you are who you say you are. They do that by asking a series of questions relating to you, your LastPass account, and your recent activity in LastPass. You can see the list of questions asked here: LastPass Identity Verification. Needless to say, the barrier should be high so as to prevent someone from attempting to impersonate you. They can’t (or shouldn’t) reveal how much of the information you need to provide correctly, but the more you can provide, the better.
And as a final reminder: LastPass support does not know and cannot recover your master password. There are no back doors. If you forget your master password, you’ve lost the contents of your LastPass vault.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!