While LastPass is very convenient and I want to be as cautious as possible when putting all of my eggs (passwords) in one basket. I have two factor authentication enabled has native YubiKey support as a second authentication factor
Protections:
- LastPass Premium – alows simple use of unique passwords for each account
- Typed/Remembered Password – protects from a stolen YubiKey allowing access to your vault
- YubiKey OTP – Prevents a keylogger from allowing access to your LastPass Vault
- YubiKey Static Password – ensures your Master Password is strong enough to prevent an attacker from brute forcing your password if they are able dump the LastPass database
What you need:
- At least 2 YubiKeys. I recommend the YubiKey 4 or YubiKey Neo. Personally, I don’t like the YubiKey Nano 4, because it suggest being left in a computer, which reduces its value as a second factor. The FIDO U2F Security Key will not work for this.
- YubiKey Personalization Tool
- LastPass Premium
Setup Your YubiKey
- Launch the YubiKey Personalization Tool
- Select "Static Password Mode"
- Click the "Scan Code" button
- Select:
- Configuration Slot 2
- Program Multiple YubiKeys
- Keyboard: US Keyboard
- Enter a stong password
- Insert each YubiKey, and click "Write Configuration"
Configure LastPass
- Open your LastPass Vault and Click Account Settings
- If you have not already configured your Yubikey as a second factor
- Click Multifactor Options, Scroll down to yubico, Click the pencil
- Set Enabled to Yes
- If you use iOS, you will want to set Permit Mobile Device Access to Allow, even though it is slightly less secure
- Pick which ever option you like for Permit Offline Access. Since you should only be loging in to LastPass from trusted computers, there not much of a security risk
- For each of your YubiKeys, put the cursor in a YubiKey box and press the button on the YubiKey
- When all of your YubiKeys have been entered, click Update
- Under the General tab, Change Master Password. For your new master password, type a good password (it can be your current password), followed by the password in your YubiKey. This is the only time you will have to type the YubiKey password.
Use
Now when you log into LastPass, you will type your password, insert your YubiKey, press the YubiKey button for 2 seconds. The YubiKey will type its portion of your master password and <enter>. LastPass will prompt you for your second factor. Use a short press on the YubiKey button to enter the YubiKey OTP code.
Mobile Protection
Since my iPhone SE is not compatible with YubiKeys, I had to take a different approach. This one phone is the only mobile device allowed to access my account (restricted by UUID). I authorized it using the Google Authenticator app before disabling Google Authenticator. My phone is protected by TouchID and the LastPass app is protected by a PIN. I store the "YubiKey portion" of my master password in NoteCrypt which is proteced by a different/shorter password.
NoteCrypt https://itunes.apple.com/tc/app/notecrypt-encrypted-notes/id897154139 which appears to be developed by Tom King (LinkedIn). While I can’t audit what NoteCrypt actually does, it says all of the right things about encryption and password based key derivation. It also costs $2.99, so there is an economic model that doesn’t involve ads or selling of user data. Finally, the developer’s LinkedIn profile looks respectable.