Ever since I started using Lastpass Premium, I have been using Two-Factor Authentication (TFA). First with printed OTPs, then Google Authenticator on my Android.

The only reason why I thusfar not considered using Yubikey as my TFA was the missing ability to use it on my android phone. But especially on the PHONE I want TFA, because it is in much higher danger of being stolen. But the traditional Yubikeys dont work on phones.

But the guys @ Yubico came up with the Yubikey Neo (http://yubico.com/yubikey-neo)

The Yubikey Neo is NFC-enabled and works perfectly in tandem with my Samsung Galaxy Nexus. I can now safely use Lastpass on my Android with TFA, and I don’t have to worry about the security of my passwords when my phone gets stolen.

Here is how to do it:

  1. Get a Lastpass Premium Account 
  2. Get a Yubikey Neo
  3. Register the Yubikey with your Lastpass account
  4. “Disallow” mobile access in the Lastpass account settings. 
  5. Download the Personalization Tool 
  6. Select the “Write an NDEF configuration (YubiKey NEO only)” option
  7. Then select URI record type, identifier=https:// and URI string lastpass.com/mobile/?otp=
  8. press NEXT twice to get to the programming page and press the RUN button to write the NDEF2 string to your YubiKey NEO.
  9. Enjoy :) (make sure you have the Lastpass App installed on your Phone)

The Yubikey Neo can be used on any Computer like a normal Yubikey and on any NFC enabled phone. Fantastic, isn’t it ?

~~ sebastian

Update 1, 13.03.2012: Thanks to a comment from Evelina @ Yubico, I changed the above howto to include the need to change your lastpass account settings to “disallow” mobile access. This setting will enforce the YubiKey TFA on  mobile devices.