Use a password manager with multifactor authentication

Share on:

Use a password manager with multifactor authentication

Find yourself overrun with passwords from various applications, websites and more? The answer is to move to utilizing a password manager, along with enabling multifactor authentication. I’ll briefly list a few of the password managers available, but will walkthrough the combination of LastPass + Virtual MFA (Yubikey 5 NFC). The below guide will allow you to securely store your passwords and have a backup in-case you lose access to your mobile device which will be housing Google Authenticator.

Google+Yubico

Requirements

Our requirements include:

  1. Secure our passwords in a centralized location
  2. Secure the authentication process in the centralized location using a password
  3. Require multifactor authentication at the centralized location

Required hardware

The below steps cover a password manager + multifactor authentication using Google Authenticator (Android or iOS) & a Yubico YubKey 5 NFC. Every time you add a TOTP authentication code from a service, you’ll want to add it to both your Google Authenticator application on your mobile device AND your Yubikey. This ensures if you lose your mobile device, you have a hardware MFA or vice-versa.

Costs

  1. LastPass = Free Plan
  2. Google Authenticator (Android) or Google Authenticator (iOS) = Free
  3. Yubico YubiKey 5 NFC = ~$45.00

Password Manager

A password manager is a service, or software that allows us to store strings of text (in most cases, usernames and passwords) in a centralized location. The offerings below are generally considered widely-accepted and offer a secure way to centralize your password storage.

A few of the (hosted, referred to as SaaS) options include:

If you’re looking for a self-hosted solution, I’d recommend:

In the below steps, we’ll cover using LastPass as the password manager:

  1. Install Google Authenticator (Android) or Google Authenticator (iOS) on your mobile device.
  2. Install Yubico Authenticator on your Windows or Mac device.
  3. Create a LastPass account.
  4. On a web browser of your choice, within the LastPass Vault (while logged in) browse to: Account Settings -> Multifactor Options -> Google Authenticator
  5. Click the Edit icon Edit option for Google Authenticator.
  6. For the “Enabled” option, select Yes.
  7. For the “Permit Offline Access” option, use the drop-down menu to choose from the following:
  8. Select Allow if you wish to allow access to Google Authenticator even when you are offline. This will store an encrypted Vault locally so you can log in without using Multifactor Authentication in case of a connectivity issue.
  9. For the “Barcode” option, click View.
  10. If prompted, enter your Master Password and click Continue.
  11. Your barcode is now displayed, which you can use your mobile device camera to scan and create an entry for your LastPass account. Do not close the window until you’ve added your YubiKey!
  12. Open Yubico Authenticator on your computer and ensure your YubiKey 5 NFC is inserted into a USB port on the machine.
  13. Select the + icon within Yubico Authenticator - this will add an account. Select Scan and it will detect the QR code displayed on the screen.
  14. The defaults should suffice, accept the account addition.
  15. Click Update within the LastPass vault when finished.
  16. Enter your LastPass Master Password and click Continue.
  17. When prompted, enter the verification code displayed in the Google Authenticator app or Yubico Authenticator, then click OK.
  18. Click OK on the confirmation message.
  19. The Google Authenticator along with a hardware MFA device, your Yubikey 5 NFC has been successfully set up to be used when you log in to your LastPass account.

Summary

You have now created a LastPass password vault that requires Google Authenticator OR Yubico YubiKey 5 NFC as a secondary form of authentication. What do you do with this new found security?

Begin going through your accounts, reset their passwords to a new secure password (and add multifactor authentication using your Google Authenticator+Yubikey when possible)! You can safely store the password in your LastPass vault and use a LastPass extension to safely retrieve those when browsing.

LastPass download page - for extensions for your preferred browser, etc.