Lastpass & Yubikey Neo
Ever since I started using Lastpass Premium, I have been using Two-Factor Authentication (TFA). First with printed OTPs, then Google Authenticator on my Android.
The only reason why I thusfar not considered using Yubikey as my TFA was the missing ability to use it on my android phone. But especially on the PHONE I want TFA, because it is in much higher danger of being stolen. But the traditional Yubikeys dont work on phones.
But the guys @ Yubico came up with the Yubikey Neo (http://yubico.com/yubikey-neo)
The Yubikey Neo is NFC-enabled and works perfectly in tandem with my Samsung Galaxy Nexus. I can now safely use Lastpass on my Android with TFA, and I don’t have to worry about the security of my passwords when my phone gets stolen.
Here is how to do it:
- Get a Lastpass Premium Account
- Get a Yubikey Neo
- Register the Yubikey with your Lastpass account
- “Disallow” mobile access in the Lastpass account settings.
- Download the Personalization Tool
- Select the “Write an NDEF configuration (YubiKey NEO only)” option
- Then select URI record type, identifier=https:// and URI string lastpass.com/mobile/?otp=
- press NEXT twice to get to the programming page and press the RUN button to write the NDEF2 string to your YubiKey NEO.
- Enjoy (make sure you have the Lastpass App installed on your Phone)
The Yubikey Neo can be used on any Computer like a normal Yubikey and on any NFC enabled phone. Fantastic, isn’t it ?
Update 1, 13.03.2012: Thanks to a comment from Evelina @ Yubico, I changed the above howto to include the need to change your lastpass account settings to “disallow” mobile access. This setting will enforce the YubiKey TFA on mobile devices.
Hi, thank you for a great blog post and how to-guide! Please just note that it’s necessary to “disallow” mobile as well on the LastPass account page, which is necessary to make the LastPass app on Android to request an OTP.
thanks a lot for you comment. I have included your suggestion in my post.
May I make a suggestion as well?
The page http://helpdesk.lastpass.com/security-options/yubikey-authentication/#Using+a+YubiKey+NEO+with+LastPass includes an email address under point 3. Also, using the full email address doesn’t work, since the tag gets truncated. The correct URI would be
“https://lastpass.com/mobile/?otp=”. Including a username is not necessary, since the Lastpass Android app is able to remember the username.
Hi, thank you! And of course – suggestions and feedback are always very welcome. You are right that the email/username is not necessary. We’ve forwarded your suggestion to LastPass.