Stop hackers, enable LastPass two factor authentication

Online security is a constant worry, but adding two factor authentication to your LastPass password manager increases security and keeps out hackers. Use this step by step setup guide.

Online accounts at many websites and services have been hacked and people have had their usernames and passwords stolen and sometimes sold to criminals. How many times have you been told to change your passwords because one service or another has been compromised? Too many!

Your password manager contains the login details for all your online accounts at websites, banks, social media, stores and more. What if your password manager was hacked?

That would be a major disaster because all your passwords for everything would be exposed. It is enough to keep you awake at night with worry.

If this bothers you, and it should, One way to increase the security of LastPass password manager is to use two factor authentication (2FA). This is sometimes called two step verification and LastPass calls it multifactor authentication.

How two factor authentication works

It basically adds an extra step to the sign-in process at whatever website or service you set it up for (LastPass, Google, Microsoft, Apple and others all support 2FA).

When signing in, you are prompted to enter your username and password as normal. Then you are asked to enter a PIN code. Unlike the PIN code that you use with your credit card and other things, this one changes every few minutes or even every few seconds.

The PIN code is sent to your phone, so you must look at your phone, get the PIN and type it in to complete the login.

No phone = No PIN = No access

Even if a hacker or phishing scam got your username and password, they cannot log in because they don’t have a PIN code. If someone did try to log in, a PIN code would arrive on your phone, which would immediately tell you that someone has tried to log in and failed.

Here’s how to set up 2FA for LastPass. There are two methods and you can use one or the other. Both can be set up, but only one is required.

1 Log in to LastPass

Open a browser, go to the LastPass website and log in by entering your username and password. An easy way to log in if you have the LastPass extension installed is to click the toolbar button and select Open my vault.

2 Go to Settings

When LastPass opens, click the gear icon at the bottom of the sidebar on the left to open Account Settings.

Select the Multifactor Options tab at the top and there are two Multifactor Authentication lists - Free and Premium. The first two items on the list are the most useful - LastPass Authenticator and Google Authenticator.

They work in similar ways, so let’s set up LastPass Authenticator. At the right side of each multifactor option is an Action column. Click the pencil icon next to LastPass.

3 Enable LastPass Authenticator

LastPass Authenticator is disabled, so change the setting to Enabled and click Update.

Enter your lastPass account password and click Continue.

Click Enrol to add a device to LastPass Authenticator.

4 Three stages to go

There are three stages to setting up your phone and the first is to install an app on your phone. Click Set up mobile app.

5 Set up your mobile

There is a Lastpass Authenticator app available for the iPhone, Android phones and Windows phones. Get your phone, go to the store app and search for it. Download it and install it.

I added the Android app. I cannot show any screenshots because the app blocked the feature for security reasons, but here's what happened.

Open LastPass authenticator on your phone and sign in to your LastPass account. Click Next on your computer (in the screenshot above), and a QR code is displayed on the computer screen.

Tap the option in the phone app to add a code and point it at the QR code on the computer. That’s it, it is set up.

6 Add a backup

Now when signing into LastPass you will be prompted for a code. Run the LastPass Autheticator app and a six-digit code is displayed. Just type it in to complete the sign-in process.

What if you don’t have your phone or the LastPass Authenticator app does not work?

Another phone can be used as a backup and LastPass will send the sign-in code by text message. There’s nothing to stop you using the same phone, but if you lose it or it breaks, you won’t have any means of receiving the code. A different phone is best.

Click Set up text message

7 Set up text messaging

Enter the phone number to use as a backup. A code is sent via text message, which you must then type in.

Once this is done, everything is set up and you can click the Activate button that is displayed. You are returned to the Multifactor Authentication screen (step 2 above).

---

How to use Google Authenticator

1 Install the app

Both Google and Microsoft have Authenticator apps for phones that work in a similar way to the LastPass Authenticator app. They display the code you need when logging into Google and Microsoft accounts.

These apps also work with LastPass too. In fact, if you already use either of these apps on your phone, you don’t need to set up LastPass Authenticator app, just use Microsoft’s or Google’s instead. It is actually easier to set up.

Go to the Multifactor Authentication screen (step 2 above) and click the pencil icon to the right of Google Authenticator.

If you have not already done so, install Google Authenticator app on your iPhone or Android phone. Run it and follow any setup instructions.

To add LastPass on the phone, click the plus button and select the option to Scan barcode.

Click View next to Barcode in the screenshot above on your computer. It displays a QR code on the screen. Point the phone at the QR code and that’s it. LastPass is set up in the Google Authenticator app.

Set Enabled to Yes in the screenshot above and you’re done.

2 Use Google Authenticator

To use Google Authenticator just open the app. It displays a code for LastPass (and any other accounts you have added.

The codes change every 20 or 30 seconds, so you have to be quick. If you don’t enter one before it expires, just enter the next code that is displayed.

Now that multifactor authentication is set up, if you need to log in to LastPass you MUST have your phone. That is the whole point - if a hacker gets hold of your username and password, they still can’t get in without your phone. Neither can you!