If you have read my post on best practices in using LastPass, one the of the safe practice is to use a second factor authentication that is either the Grid (printable card), Sesame (USB flash drive), YubiKey, Fingerprint and SmartCard authentication instead of just relying on the master password. The good thing about using a second factor authentication is even if your master password somehow got stolen, the hacker still won’t be able to access your LastPass Vault because the physical authentication is in your hands.
I wanted to test how YubiKey works so I ordered one from Yubico. It cost $25 for one YubiKey and an additional $19.00 for shipping to Malaysia with tracking code. After a week of waiting, I received my YubiKey in a letter envelope. At first I didn’t know what was it until I opened it because I didn’t expect that the YubiKey is going to be that small and slim. It is made to easily fit on a key ring because normally people carry keys (car or house) with them.
The YubiKey calculates a unique passcode each time it is used, making it impossible to copy and illegitimately re-use a passcode. The unique passcode is verified each time by a YubiKey compliant web service or software application.
The first mistake I made with YubiKey is inserting it wrongly on my laptop’s USB port with the USB-contact facing downward when it is supposed to be upward. The USB-contact light lit up and no driver nor installation is required. If I touch the button with my fingertip for 2 seconds, a 44 character will be generated and auto inserted into the text box.
For LastPass Premium users, you can set it up to use with YubiKey by logging in to your LastPass Vault, click on Settings at the left sidebar and click on YubiKeys tab.
Now click on YubiKey #1 empty box and place your fingertip on your YubiKey for 2 seconds. Click the drop down box for YubiKey Authentication and select Enable. If you use LastPass on your mobile but it doesn’t have a USB port, you can set this as Disallow. Finally, the Permit Offline Access option controls whether access to your vault will be allowed when not connected to the Internet. By default LastPass save an encrypted local cache on your computer for you to access your LastPass Vault when there is no internet connection or if the LastPass servers are down. Allowing access to your vault when offline is slightly less secure since YubiKey one time passwords can not be validated. Click the Update button and you’ll be prompted to re-login to your LastPass. After keying in your LastPass Master Password, there is an additional step which is to authenticate using your YubiKey.
The good about YubiKey:
1. Small and slim
2. No drivers required because it is identified as USB Input Device (Keyboard) in device manager.
3. Additional “strong” protection for application such as LastPass that supports YubiKey
4. No lifetime
5. Crush-resistant and water proof
6. Don’t require battery
7. Cheap because it provides all the above.
The only problem with using YubiKey is the computer must have a working USB port. I am not worried about that since most modern computer has USB port unless it is disabled in BIOS or Windows Policy. In my personal opinion, a hacker would probably give up if they see that you use a combination of LastPass with best practices, KeyScrambler and YubiKey.
Related posts:
Really great info, great post
Mind doing a review on torrific? It allows you to direct download your torrents instead of using a client.
More info : forum.lowyat.net/topic/1727549
Was my comment deleted?
LOL @noob
Just go to lastpass.com/recover.php
:D
morning ray, what if we lost the key?
I have a yubikey but there are not much free websites or programs with yubikey support.
Free Yubikey OpenID
clavid.ch/
There is a new way to download torrent. Found it as Bitlet is so slow/not working on my side. The way I found will turn the torrent file into direct download. Hence it is able to bypass Streamyx p2p speed throttle. It works with Download managers too. Didn’t give it a try yet Maybe you could do a review?
Site : torrific.com/
Source : forum.lowyat.net/topic/1727549
Thanks Raymond I using LastPass + Keyscrambler and now gona get YubiKey for beter security :)
The developer of Neo’s Safekeys have just posted an open letter regarding your test.
aplin.com.au/forum/topic/open-letter-some-smart-keyloggers
Lastpass is an amazing product, but I can’t deny the hack a couple of weeks ago really did scare me from using it again. This may help ease the pain and start using it again.
Thank you and Great Post
@Raymond
u got any crack to use it on normal pen drive???
or any1 do suggest sum good software for this method(second factor authentication)
Really Nice article !!!
Hi,
Thanks for nice review. I have seen you are reviewing too many anti keylogers these day. You might already know but I found a good thing with my Avast antivirus. Its switch to “Safe Zone” option. Please have a look at it if possible.
Raymond,
Thanks a lot for your excellent review!
Great post, however you never sent me the instructions on how to upgrade to the premium version that I won ;)
Hi Ray, how secure is Grid or Sesame when compared with YubiKey in Lastpass? Granted, using Grid is a little less convenient but Sesame is quite handy.
Thank you Raymond! :)