May 10, 2013

What Do You Want to Know?

Hey LastPass-ers - we want to hear from you!

We're looking to build more of a conversational series of blog posts, especially for Fridays, where we post answers to your questions, spotlight helpful tips, conduct polls, and more.

So to kick off the series, what would you like to know more about from LastPass?

To prompt some potential topics:
  • What LastPass features would you like to know more about?
  • Which technical concepts would you appreciate more information on?
  • What's going on in the news or the tech community that you're curious about?
  • If you had the chance to chat with a LastPass team member, what would you ask them?
Post questions in the comments or send them our way via Facebook, Twitter, or Google+. For questions that we end up choosing, you have a chance to snag a LastPass T-shirt!

May 9, 2013

In the News: Use LastPass To Create Secure Passwords

LastPass had a shout-out on KTLA the other day, in which reporter Rich DeMuro highlights the risks of poor password practices and the need for a tool to help you generate secure passwords. While discussing the challenge of the current password system and the tendency to use the same password everywhere, DeMuro suggests turning on two-step (or multifactor) verification and using LastPass to streamline the password process.

Click here to view the video

We're especially impressed that multifactor authentication was top among their recommendations, in addition to highlighting the need for different passwords on all accounts.

And we're excited to see LastPass mentioned as the choice password manager!

May 6, 2013

Multifactor Authentication: What It Is and Why It Matters

There’s a lot of buzz right now around multifactor authentication, and the need for more services like Twitter to support it, so we figured our users could benefit from a clarification of what it is, how it works with LastPass, and why it matters.

What Is Multifactor Authentication?

Multifactor authentication simply refers to the requirement of a second piece of information before allowing access to an account. By adding another authentication step, you are requiring that the user enter two forms of data - typically the first being something the user knows, like a username and password, and the second being something the user has physical access to, like an app on a mobile phone that generates one-time codes or a device that plugs into the computer to scan a fingerprint. After enabling multifactor authentication, the user is required to enter both pieces of data (username/password + generated piece of data) each time they login to the account or service.

Why It Matters

Good security is about being proactive and mitigating risk. Multifactor authentication increases security by adding another barrier to entry, decreasing the likelihood that a “pretender” can break in. It makes it harder for someone who has stolen the password to gain entry to the account. Unfortunately, many websites don’t implement this second form of authentication, which is why implementing it with your LastPass account is critical - and arguably more effective.

If you enable multifactor authentication with LastPass, you have significantly increased the security of your LastPass account itself, which is the hub of your online life. If someone compromises your master password, they can't gain access to your account without the second form of authentication. Since LastPass gives you the tools to generate secure, non-guessable passwords for all your accounts, if you then launch all of your sites from LastPass, you are eliminating risks of phishing attacks and other threats because you are going directly to your sites and logging in with LastPass. By enabling a mutifactor authentication device, you are by effect enabling it for each of the sites in your vault as well. For Enterprise, if your Identity Provider utilizes multifactor authentication, as LastPass does, you also get the full benefit of multifactor authentication without passwords at all sites that you've implemented it on.

How It Works With LastPass

Once you enable multifactor authentication with LastPass, you'll be required to first enter your email address and master password, then the multifactor authentication data. LastPass offers support for several multifactor authentication methods:
  • Google Authenticator (Free): Utilizes a Google app, available for Android, iOS, and BlackBerry, which will generate a code every 60 seconds that you will enter when prompted.
  • Grid (Free): A unique, generated spreadsheet of random values that resemble a Battleship grid, each section containing a different letter or number. Once enabled, you'll be prompted to find and enter four values from the spreadsheet.
  • Sesame (Premium): Generates unique One Time Passwords (OTPs) each time you login. The feature can be run from a USB thumb drive, and you have the choice to copy the OTP to the clipboard or launch the browser and pass the value automatically.
  • YubiKey (Premium): A key-sized device that you can plug into your computer's USB slot, and generates a unique, One Time Password each time it's pressed. YubiKeys are immune from replay-attacks, man-in-the-middle attacks, and a host of other threat vectors. The key can be purchased from Yubico and bundled at a discounted rate with LastPass Premium. No batteries, waterproof, and crush safe.
  • Fingerprint Reader (Premium): LastPass has support for a small selection of fingerprint readers, including Windows Biometric Framework, UPEK, and Validity.
  • SmartCard Reader (Premium): LastPass has experimental support for SmartCard readers. See our help article for more details and limitations.
With all multifactor security options, you have the ability to mark the computer as "trusted", leaving multifactor enabled but not requiring it on that particular "safe" location.

Get Proactive

Passwords are not going anywhere soon, and because sites have implemented different security standards and requirements, we strongly recommend enabling a form of multifactor authentication with LastPass. This will help you better protect and mitigate risks for your LastPass account, and your online life as a whole.

The LastPass Team