Skip navigation
Documentation

LastPass

Contents

LastPass has partnered with Duo Security to bring two-factor authentication to LastPass logins, complete with inline self-service enrollment and authentication prompt.

Overview

This document takes you through configuring your LastPass Free, Premium, or Enterprise account to use Duo Push. You'll sign up for a Duo account, set up LastPass to use your new Duo account, and enroll your LastPass username and your device for use with Duo's service.

Once you complete this process, Duo Security’s two-factor authentication platform protects access to your LastPass data by requiring approval when logging in to your LastPass Vault.

First Steps

  1. Sign up for a Duo account. The Duo Free plan is free for up to ten users with unlimited applications.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate LastPass in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)

    LastPass Application Page

If you followed a Duo sign-up link from the LastPass site then we'll automatically create a LastPass application for you!

LastPass Free & Premium

Configure Duo Security

  1. Log in to your LastPass vault.

  2. Once logged in to LastPass go to Account SettingsMultifactor Options.

  3. Click the pencil icon to the right of the Duo Security multifactor option.

    LastPass Duo Configuration

  4. Configure the Duo Security options as follows:

    Option Value
    Enabled Select Yes.
    Permit Offline Access Set to Allow if you want access to your password vault even when LastPass is unreachable. For more information about this option please see the topic "Offline Access to Your LastPass Vault" in the LastPass User Manual.
    Use Duo Web SDK when possible The default setting (No) means that all types of clients see the same LastPass Duo prompt. If you'd like to enable the interactive authentication prompt for web browser logins to LastPass, change this setting to Yes.
    Integration Key Copy and paste in the integration key from the LastPass application you created earlier in the Duo Admin Panel.
    Secret Key Copy and paste in the secret key from the LastPass application you created earlier in the Duo Admin Panel.
    API Hostname Copy and paste in the API hostname from the LastPass application you created earlier in the Duo Admin Panel.

    Click Update when done.

    LastPass Duo Configuration

  5. Enter your LastPass password to confirm the change to your account.

    LastPass Duo Setup Verify

  6. If your LastPass email address is already enrolled in Duo there are no additional enrollment steps required.

    LastPass Duo Setup Account Enrolled

    If the email address you use to log on to LastPass is not enrolled as a user in your Duo account, LastPass prompts you complete Duo enrollment in a new browser tab.

    LastPass Duo Setup Enroll

    Follow the on-screen steps to complete device enrollment. Please see our user guide to enrollment for more information.

    LastPass Duo Setup Enroll

  7. You can close the Duo browser tab when you see the message "Enrollment successful!" The LastPass browser window displays a message letting you know your setup is complete.

    LastPass Duo Setup Complete

  8. Verify your LastPass account email address to apply all changes.

    LastPass Duo Setup Verify

  9. The Duo Security option now shows as "Enabled" on the LastPass Multifactor Options page.

    LastPass Duo Setup Verify

Instructions for configuring LastPass with Duo are also available in the LastPass User Manual.

Test Your Setup

After completing multifactor setup, you'll see the Duo authentication prompt when you log in to LastPass. You can approve a Duo Push authentication request on your smartphone or tablet, approve authentication over the phone, or enter a passcode generated via the Duo Mobile app, text message, or hardware token.

LastPass Web Page and Browser Extension

The LastPass Duo multifactor window displays after entering your username and password in the LastPass for Applications login window.

If you left the "Use Duo Web SDK when possible" option at the default "No" setting, then you'll see the LastPass Duo prompt and at the same time a push authentication request appears on your mobile device if you've activated Duo Mobile.

If you click the "This computer is trusted..." option then you won't be prompted for two-factor authentication again from the same browser on that device.

LastPass Browser Duo Authentication

If you changed the "Use Duo Web SDK when possible" setting to "Yes", then you'll see the inline Duo Prompt.

LastPass Browser Duo Authentication

LastPass Mobile App

The LastPass Duo multifactor window displays after entering your username and password in the LastPass for Applications login window, and at the same time a push authentication request appears on your mobile device if you've activated Duo Mobile. You may approve the Duo Push request from the same device where you are logging into the LastPass mobile app.

If you click the "Trust this device?" option then you won't be prompted for two-factor authentication again by the LastPass app on that device.

LastPass Mobile App Duo Authentication

LastPass for Applications

The LastPass for Applications program is available for Microsoft Windows only. The LastPass Duo multifactor window displays after entering your username and password in the LastPass for Applications login window, and at the same time a push authentication request appears on your mobile device if you've activated Duo Mobile.

If you click the "This computer is trusted..." option then you won't be prompted for two-factor authentication again when logging in to LastPass for Applications.

LastPass Mobile App Duo Authentication

LastPass Enterprise

Configure Duo Security

  1. Log in to your LastPass vault as an enterprise administrator.

  2. Once logged in to LastPass click Admin Console in the left navigation pane.

  3. In the LastPass administrator console, click Settings on the left, then click Policies.

  4. Click the ADD POLICY button and then select the Require use of Duo Security policy from the "Multifactor" section of the drop-down list. Enter your the Duo Security information as follows:

    Option Value
    Value Enter the number of days between LastPass account creation and Duo authentication enrollment. Enter 0 to require Duo authentication immediately.
    Duo Security integration key Copy and paste in the integration key from the LastPass application you created earlier in the Duo Admin Panel.
    Duo Security secret key Copy and paste in the secret key from the LastPass application you created earlier in the Duo Admin Panel.
    Duo Security API hostname Copy and paste in the API hostname from the LastPass application you created earlier in the Duo Admin Panel.
  5. Use the Applies To: options to choose whether to enforce Duo two-factor authentication for all your LastPass users or only certain users. We recommend protecting all users with Duo.

  6. Click Save when done.

    LastPass Duo Policy

    The Duo Security policy is enabled and shows the number of days you entered into the "Value" box when creating the policy.

    LastPass Duo Policy Enabled

  7. The default LastPass policy for Duo Security assumes that your Duo usernames use email format (username@example.com). If your Duo usernames do not include email domain, you can modify the LastPass username format sent to Duo.

    Click the Add Policy button again, and select the Use username portion of email address as Duo Security username policy from the from the "Multifactor" section of the drop-down list. Check the box to enable this policy, then click Save.

    LastPass Duo Username Policy

  8. (Optional) LastPass Enterprise customers have the option of switching to the interactive authentication prompt.

    To enable the interactive Duo prompt, click the Add Policy button again, and select the Use Duo Web SDK when possible policy from the from the "Multifactor" section of the drop-down list. Check the box to enable this policy, then click Save.

    LastPass Duo Web SDK Policy

Refer to the LastPass Enterprise Manual for more information about using Duo with LastPass.

User Enrollment Process

Any LastPass user to whom you've applied the "Require use of Duo Security" policy must enable Duo at next vault login.

  1. Re-enter the LastPass password and click BEGIN ENABLING DUO SECURITY.

    LastPass Enable Duo

  2. The user must confirm his or her LastPass username.

    LastPass Confirm Username

  3. LastPass checks to see if the LastPass username is already enrolled as a Duo user. If not, then LastPass prompts the user to begin the Duo enrollment process in a new browser tab.

    LastPass Enrollment Prompt

  4. Close the Duo browser tab after successful Duo enrollment. LastPass notifies the user that multifactor setup is complete.

    LastPass User Enrolled

  5. LastPass administrators can see which users have enabled Duo multifactor from the "Users" page in the LastPass administrator console. Users who have completed Duo Security setup show the Duo logo in the "Multi-factor" column.

    LastPass Duo Users

User Login Experience

The Duo multifactor login experience for LastPass Enterprise users is the same as for Lastpass Free/Premium users if you did not enable the Duo Web SDK policy.

After completing multifactor setup, users see the Duo authentication prompt when they log in to LastPass. Users can approve a Duo Push authentication request from a smartphone or tablet, approve authentication over the phone, or enter a passcode generated via the Duo Mobile app, text message, or hardware token.

If you did enable the Duo Web SDK policy for your organization, browser logons to LastPass show the interactive Duo prompt, while mobile app logins continue to show the original LastPass multifactor prompt.

LastPass Web Authentication Prompt

When your LastPass Enterprise users view their multifactor options for Duo, the setting shows as enforced by company policy.

LastPass Duo User Multifactor Enforced

Troubleshooting

Need some help? Take a look at our LastPass Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free