Securing LastPass - MultiFactor Authentication for Non-premium users.

[Christy]

Being a lastpass user i've always wondered one keylogger on my system, extracting my Lastpass master password = Compromise of all my accounts stored on Lastpass, which = everything. D-day,what else.

Multifactor authentication requires the user to present both username/password and information from another, often physical, item. This means that if a hacker gets your password, they are still unable to access your LastPass account without this second factor.

When i looked for a solution when i started using the LastPass service the Multifactor auth schemes for LastPass was restricted to Premium members , such as Sesame thumb drives,fingerprint ,Smartcards,Yubikey, a minimum deal of 35$. Now there are alternatives for non-premium members,

1. Google Authenticator multi-factor support.

On Nov 4 ,v1.80.0 released Google Authenticator multi-factor support, a second free multi-factor option available for all users! If you have a smart phone you should consider utilizing it.

1. Install:Detailed instructions on installing the Google Authenticator for the following devices
Android devices
iPhone, iPod Touch, or iPad
BlackBerry devices
can be found at: http://support.google.com/accounts/b...answer=1066447

Other devices:
Android device w/o Market: http://lastpass.com/google-authenticator.apk
webOS device: http://gregstoll.dyndns.org/gauth/
Windows Phone: http://www.windowsphone.com/en-US/ap...b-78e7d1fa76f8
Symbian device: http://code.google.com/p/lwuitgauthj2me/

2.Once you have the Google Authenticator application running on your mobile device, go to :
https://lastpass.com/?ac=1&opengoogleauth=1
You will be prompted to use a Bar Code scanning app (Androids, iPhones and supported devices with cameras) to scan your unique bar code, or you can manually enter the Google Authentication Key found on that setup page.



3.Logging In:

After your LastPass account is registered within the Google Authenticator app, the next time you login to LastPass on an untrusted device, you will receive the Google Authentication dialog:



Go to your Google Authenticator App, and input the current authentication code you see in the app, into this dialog. If the code expires before you have a chance to authenticate, simply use the next code that appears in the app.

Allow Offline Access:As with our other multifactor authentication options, you can choose whether to allow LastPass to store an encrypted vault locally so you can log in without an internet connection. If you enable offline access, you will be able to login without using your Google Authenticator code in case of a connectivity issue.

2. Grid Multifactor authentication

1.To activate Grid, launch your Account Settings by going to your LastPass Icon, then Preferences, Accounts Settings, Launch Account Settings:

2.In the dialog box that pops up, click on the Security tab (second over from the left), where you will see the option to activate your Grid by checking the box:

3.LastPass will pop a message recommending that you print your Grid. By clicking 'Print your Grid', you can view and print the spreadsheet-like Grid of randomly generated characters:

Be sure to press 'Update' before exiting your Account Settings dialog box.
Allow Offline Access: Controls whether access to your vault will be allowed when you are not connected to the Internet. Allowing offline access to your vault is slightly less secure since Grid can not be actively validated.

4.Logging In:
Once Grid has been activated, you can login to your LastPass plugin by providing your email and Master Password as usual. After you press Submit, you will be prompted to provide 4 random values off of your Grid:

You look up each value on the grid and enter it. Grid look-ups are performed much like the game Battleship. Using the sample Grid image shown above as an example, if you were asked for U7, M8, I5, AND K5, the answers would be z, m, 2, 2. Access to your LastPass Account will only be granted if all 4 values are correct.
If you trust the computer, click the Trust checkbox on the Grid dialog so you will not be re-prompted to enter Grid values the next time you login.
Grid can be deactivated at any time once you are logged in to your Online Vault and uncheck the Grid option in Settings.




Sources :http://helpdesk.lastpass.com/securit...uthentication/
http://helpdesk.lastpass.com/securit...authenticator/
http://support.google.com/accounts/b...answer=1066447

Personally i don't want to carry around a piece of paper(grid), & since i have my phone with me almost always, using it as a second factor to authenticate makes sense.