New Multifactor Authentication for LastPass

Image Showing LastPass and Google AuthenticatorI didn’t mention it in my previous post “Usable Browser Privacy & Security” but another Firefox plug-in I normally use is the popular online LastPass password manger. Well, the other day I noticed a new feature but hadn’t seen much discussion of it within the security community. Yes, I use LastPass and find it very useful in managing many of my passwords for low to medium value websites. I use roughly three different computers on most days and having to regularly sync a password archive across them is cumbersome so the online aspect of LastPass is a welcome solution.

Although I probably wouldn’t store high value passwords using an online service like this, LastPass provides an simple way to use different strong passwords for every site you need to authenticate to. It allows good password practices while keeping the web easy to use. For this reason I recommend it to many of my non-technical family and friends as a more transparent way for them to follow good password practices without too much of a usability hit.

The key to LastPass’s security is the master password a user creates for their archive. Of course it goes without saying that they need to choose a really strong password here. While the implementation details are somewhat complex … basically LastPass stores all passwords as an encrypted blob on their servers. Even LastPass supposedly can’t decrypt it since they never receive your master password. When a user logs in the browser plug-in downloads their blob and decrypts it on their local machine using the master password.

Although using a strong master password is a good first step, perhaps using multi-factor authentication is best used due to this authentication’s importance. That’s where LastPass comes in with several existing multi-factor options. In the past these factors included one-time passwords, grids, Sesame, Yubikey, smartcards, and fingerprints. All these options were great but none were industry heavyweights that could provide some type of de facto standard.

Well that all change about a week or so ago when LastPass announced support for Google Authenticator!


We’re happy to announce the inclusion of Google Authenticator as a new multifactor authentication option for LastPass. With the latest LastPass plugin and a supported mobile device, you can now use your phone in conjunction with your master password to generate a secure key that is needed to login to your account. Authenticator token support has been a hotly anticipated addition to LastPass, and we’re happy to make good on that obligation to our users.

Continued here.

So be sure to update LastPass’s plugin or application to the latest version to take advantage of this new feature. And if you have non-technical family and friends, you may want to suggest them trying it out as well. Although they may need help setting it up, it’s MUCH better than them using the same easy-to-guess password across all their sites.


I know many of us in the security community don’t trust online password managers like LastPass. However with support for multi-factor authentication, does this update add enough of a mitigation for it to be trustworthy? Let us know in the comments below. Today’s post image is brought to you be

4 comments for “New Multifactor Authentication for LastPass

  1. November 15, 2011 at 4:05 pm

    LastPass now to support Google Authenticator as 2nd factor to protect password db: < good but defeated by local malware

  2. November 15, 2011 at 10:48 pm

    I agree … but if you have malware on your computer … it’s already game over.

  3. Jakob Kudo
    November 16, 2011 at 4:41 pm

    I don’t trust this password management software it was hacked before

  4. November 16, 2011 at 10:39 pm

    Maybe. They just detected odd network behavior but really never knew if it was a true hack or not. LastPass did the right thing in assuming the worse, fixing the problem, and notifying their customers. I wish more companies would be like them … instead of hiding behind their lawyers.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.