Yubikey Authentication


A YubiKey is a key-sized device that you can plug into your computer’s USB slot to provide another layer of security when accessing your LastPass Account. YubiKeys are a secure, easy to use, two-factor authentication device that are immune from replay-attacks, man-in-the-middle attacks, and a host of other threat vectors.

YubiKey support is a Premium and Enterprise feature, and the device must be purchased through Yubico.com for $25.

Up to 5 YubiKeys can be associated with one LastPass account.



Adding Your YubiKey


Once you have purchased and received your YubiKey, you can enable the device and manage your preferences by launching your Account Settings and clicking on the ‘Multifactor Options’ tab > ‘YubiKey’ radio button:


To add a new YubiKey to your LastPass account, enter the device in your USB port, click in the first empty YubiKey field, and lightly press your YubiKey on the grooved circle. You will need to enter your LastPass Master Password to save any updates you have made to your YubiKey settings.

After the field is filled, you can specify your YubiKey preferences:

YubiKey Authentication: Enable or disable your YubiKey multifactor authentication. When enabled, you will be prompted to enter the YubiKey data the next time you login to LastPass.

Permit Mobile Device Access: Controls whether mobile devices that do not possess USB ports, such as a smartphone, will be allowed to bypass YubiKey multifactor authentication when enabled.

Permit Offline Access: Controls whether access to your vault will be allowed when you are not connected to the Internet. Allowing offline access to your vault is slightly less secure since YubiKey OTPs can not be validated, and only the static portion of the key is validated.

To begin using your YubiKey, be sure that the ‘YubiKey Authentication’ field is marked as ‘Enabled’.

To save changes to your YubiKey preferences, click ‘Update’ before exiting the Account Settings dialog.

To disassociate a YubiKey device with your LastPass account, simply clear the entire input field of all characters and click ‘Update’.



Logging In with YubiKey


Now that you have enabled your YubiKey device, the next time you login to your LastPass account, you will be prompted to enter your YubiKey code. Simply click your LastPass Icon to login as normal, enter your email and Master Password, then submit. However, you will now be asked by LastPass to press your YubiKey device to enter the code:

Yubikey Auth

If you would like to leave YubiKey authentication enabled but do not want to enter it every time you login to a particular device, simply check the trusted computer option before swiping your YubiKey.



Administrating YubiKey in Enterprise


You can require Yubikey for your users via the ‘Require use of YubiKey’ policy. This policy can be enabled for your Enterprise account by accessing your Enterprise console and clicking the ‘Setup’ tab > ‘Add Policy’ button > Select ‘Require use of YubiKey’ from the dropdown menu:



You can also restrict your users to only permit the use of a single YubiKey for their account via the “Only allow a single YubiKey per account” policy:



Using a VIP YubiKey with LastPass


The VIP enabled YubiKey (http://yubico.com/vip) has two configuration slots. When the VIP enabled YubiKey is shipped, it’s first configuration slot is factory programmed for Symantec VIP credentials and the second configuration slot programmed with a standard Yubico OTP is dormant in the second identity slot and can be activated using the YubiKey Personalization Tool. The two configuration slots of the YubiKey work independently and each can be independently reconfigured into OTP or static password mode has two configuration slots.

If you touch and hold the YubiKey button between 1-3 seconds before releasing, the first configuration slot will emit the password (based on slot 1 configuration). And if you touch and hold the YubiKey button about 4-5 seconds before releasing, the second configuration slot will emit the password (based on slot 2 configuration). In case if you happen to touch and hold it longer for more than 5 seconds, the touch button indicator will flash rapidly without emitting any password.

As the second configuration slot of the YubiKey is left blank, you can program it to the YubiKey OTP mode, upload the AES Key to the online validation server and configure it to work with LastPass.

To program the second slot to work with the online Yubico OTP validation server, please follow the steps below:

  1. First, download and install the latest Cross Platform Personalization Tool for Windows from the Yubico Website at: http://www.yubico.com/products/services-software/personalizationtools/use/ under the section “Cross platform personalization tools”. There are a number of  different installers for various operating systems – pick the installer for your operating system.
  2. Once the Cross-Platform Personalization tool has been installed, insert your VIP YubiKey in a USB port on your computer and launch the YubiKey Personalization Tool.
  3. In the Cross-Platform Personalization Menu, open the “Settings” menu by clicking on the link “Update Settings” on the main page or the “Settings” option from the menu at the top.
  4. In the Settings menu, locate the Update Settings button in the lower right corner and click on it.
  5. The Update YubiKey Settings menu should be displayed. If this is not the case, confirm youhave a VIP YubiKey with a firmware version of 2.3.0 or above.
  6. Locate the section labelled Configuration Slot and select Configuration Slot 2
  7. Locate the checkbox labelled Dormant and ensure the box is not checked
  8. Locate the Configuration Protection section, and open the menu labelled “YubiKey(s)unprotected – Keep it that way”. From this menu, select the option “YubiKey(s) protected –Keep it that way”.
  9. This will activate the “Current Access Code” field in the Configuration Protection section. Enteryour VIP YubiKey’s current access code, which will be five 0s followed by the YubiKey’s serialnumber in Decimal format, as reported by the Personalization tool.For example:If your Serial Number is “1234567”, then your Current Access Code will be “00 00 01 23 45 67”
  10. Press the Button labelled “Update” to activate your VIP YubiKey’s second slot with the Yubico OTP configuration.

Yubico also has a video that describes the steps required for uploading the AES Key. For more information, please visit the link below:




Video Tutorial for Using LastPass with YubiKey



Watch How to use LastPass with YubiKey NEO


After you’ve registered the YubiKey with your LastPass account, ensure that mobile access is “disallowed” in your LastPass Icon > My LastPass Vault > Account Settings link > YubiKey tab.

Now you can use the YubiKey NEO when logging in via the LastPass Android app or used as a normal YubiKey on your desktop.



YubiKey NEO with Windows Phone 8 App


The updated Windows Phone 8 app with Yubikey NEO support (for phones that have NFC) is now available in the Windows Phone store: http://www.windowsphone.com/en-us/store/app/lastpass/9b86eadc-16e8-df11-9264-00237de2db9e

Configuring the Yubikey NEO should be done the same way as for Android, shown above. You also have to set the “permit mobile device access” in your LastPass vault to “disallow” in order to enable prompting.


A known issue is that when you touch the Yubikey NEO to the phone, the LastPass app will accept and verify the key, but the OS will open a dialog asking what to do with the URL, which you will have to ignore/cancel.  Hopefully Microsoft will fix this in a future release of the OS.