Skip navigation
Documentation

Duo Two-Factor Authentication for LastPass

Last Updated: October 2nd, 2023

Contents

LastPass has partnered with Duo Security to bring two-factor authentication to LastPass logins, complete with inline self-service enrollment and Duo Prompt.

Overview

This document takes you through configuring your LastPass Free, Premium, or Enterprise account to use Duo Push. You'll sign up for a Duo account, set up LastPass to use your new Duo account, and enroll your LastPass username and your device for use with Duo's service.

Once you complete this process, Duo Security’s two-factor authentication platform protects access to your LastPass data by requiring approval when logging in to your LastPass Vault.

Connectivity Requirements

This application communicates with Duo's service on SSL TCP port 443.

Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337.

Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.

First Steps

  1. Sign up for a Duo account. The Duo Free plan is free for up to ten users with unlimited applications.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate LastPass in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

If you followed a Duo sign-up link from the LastPass site then we'll automatically create a LastPass application for you!

Duo Universal Prompt

The new Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.

Universal Prompt Traditional Prompt
 Duo Push in Universal Prompt  Duo Push in Traditional Prompt

Read the Universal Prompt Update Guide for more information about the update process and the new login experience for users.

Migration to Universal Prompt for your LastPass application will be a three-step process:

  • LogMeIn updates the LastPass application to implement a redirect to Duo during authentication to support the Universal Prompt. You may need to change a setting in LastPass so that it uses the updated Duo application.
  • Authenticate with Duo 2FA using the updated application so that Duo makes the Universal Prompt activation setting available in the Admin Panel. This first authentication after updating will show the traditional Duo prompt in a redirect.
  • You activate the Universal Prompt experience for users of that Duo LastPass application.

LogMeIn needs to update LastPass to support the Universal Prompt, but the update isn't available yet. The "Universal Prompt" section reflects this status as "Waiting on App Provider" with the activation options inaccessible. Please contact LogMeIn to request Duo Universal Prompt support for LastPass.

Universal Prompt Info - Update Not Yet Available

In the meantime, you can use Duo with LastPass and the traditional prompt experience.

After LogMeIn makes the necessary changes available you may need log in to LastPass as an admin to enable Duo Universal Prompt support.

You'll later return to the settings on this page to activate the Universal Prompt for your LastPass users after LogMeIn releases the update.

Universal Update Progress

Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.

Read the Universal Prompt Update Guide for more information about the update process to support the new prompt, and watch the Duo Blog for future updates about the Duo Universal Prompt.

LastPass Free & Premium

Configure Duo Security

  1. Log in to your LastPass vault.

  2. Once logged in to LastPass go to Account SettingsMultifactor Options.

  3. Click the pencil icon to the right of the Duo Security multifactor option.

    LastPass Duo Configuration
  4. Configure the Duo Security options as follows:

    Option Value
    Enabled Select Yes.
    Permit Offline Access Set to Allow if you want access to your password vault even when LastPass is unreachable. For more information about this option please see the topic "Offline Access to Your LastPass Vault" in the LastPass User Manual.
    Use Duo Web SDK when possible The default setting (No) means that all types of clients see the same LastPass Duo prompt. If you'd like to enable the interactive authentication prompt for web browser logins to LastPass, change this setting to Yes.
    Integration Key Copy and paste in the integration key from the LastPass application you created earlier in the Duo Admin Panel.
    Secret Key Copy and paste in the secret key from the LastPass application you created earlier in the Duo Admin Panel.
    API Hostname Copy and paste in the API hostname from the LastPass application you created earlier in the Duo Admin Panel.

    Click Update when done.

    LastPass Duo Configuration
  5. Enter your LastPass password to confirm the change to your account.

    LastPass Duo Setup Verify
  6. If your LastPass email address is already enrolled in Duo there are no additional enrollment steps required.

    LastPass Duo Setup Account Enrolled

    If the email address you use to log on to LastPass is not enrolled as a user in your Duo account, LastPass prompts you complete Duo enrollment in a new browser tab.

    LastPass Duo Setup Enroll

    Follow the on-screen steps to complete device enrollment. Please see our user guide to enrollment for more information.

    LastPass Duo Setup Enroll
  7. You can close the Duo browser tab when you see the message "Enrollment successful!" The LastPass browser window displays a message letting you know your setup is complete.

    LastPass Duo Setup Complete
  8. Verify your LastPass account email address to apply all changes.

    LastPass Duo Setup Verify
  9. The Duo Security option now shows as "Enabled" on the LastPass Multifactor Options page.

    LastPass Duo Setup Verify

Instructions for configuring LastPass with Duo are also available in the LastPass User Manual.

Test Your Setup

Configure Allowed Hostnames

If you plan to permit use of WebAuthn authentication methods (security keys, U2F tokens, or Touch ID) in the traditional Duo Prompt, Duo recommends configuring allowed hostnames for this application and any others that show the inline Duo Prompt before onboarding your end-users.

The Duo Universal Prompt has built-in protection from unauthorized domains so this setting does not apply.

After completing multifactor setup, you'll see the Duo authentication prompt when you log in to LastPass. You can approve a Duo Push authentication request on your smartphone or tablet, approve authentication over the phone, or enter a passcode generated via the Duo Mobile app, text message, or hardware token.

LastPass Web Page and Browser Extension

The LastPass Duo multifactor window displays after entering your username and password in the LastPass for Applications login window.

If you left the "Use Duo Web SDK when possible" option at the default "No" setting, then you'll see the LastPass Duo prompt and at the same time a push authentication request appears on your mobile device if you've activated Duo Mobile.

If you click the "This computer is trusted..." option then you won't be prompted for two-factor authentication again from the same browser on that device.

LastPass Browser Duo Authentication

If you changed the "Use Duo Web SDK when possible" setting to "Yes", then you'll see the inline Duo Prompt.

LastPass Browser Duo Authentication

LastPass Mobile App

The LastPass Duo multifactor window displays after entering your username and password in the LastPass for Applications login window, and at the same time a push authentication request appears on your mobile device if you've activated Duo Mobile. You may approve the Duo Push request from the same device where you are logging into the LastPass mobile app.

If you click the "Trust this device?" option then you won't be prompted for two-factor authentication again by the LastPass app on that device.

LastPass Mobile App Duo Authentication

LastPass for Applications

The LastPass for Applications program is available for Microsoft Windows only. The LastPass Duo multifactor window displays after entering your username and password in the LastPass for Applications login window, and at the same time a push authentication request appears on your mobile device if you've activated Duo Mobile.

If you click the "This computer is trusted..." option then you won't be prompted for two-factor authentication again when logging in to LastPass for Applications.

LastPass Mobile App Duo Authentication

LastPass Enterprise

Configure Duo Security

  1. Log in to your LastPass vault as an enterprise administrator.

  2. Once logged in to LastPass click Admin Console in the left navigation pane.

  3. In the LastPass administrator console, click Settings on the left, then click Policies.

  4. Click the ADD POLICY button and then select the Require use of Duo Security policy from the "Multifactor" section of the drop-down list. Enter your the Duo Security information as follows:

    Option Value
    Value Enter the number of days between LastPass account creation and Duo authentication enrollment. Enter 0 to require Duo authentication immediately.
    Duo Security integration key Copy and paste in the integration key from the LastPass application you created earlier in the Duo Admin Panel.
    Duo Security secret key Copy and paste in the secret key from the LastPass application you created earlier in the Duo Admin Panel.
    Duo Security API hostname Copy and paste in the API hostname from the LastPass application you created earlier in the Duo Admin Panel.
  5. Use the Applies To: options to choose whether to enforce Duo two-factor authentication for all your LastPass users or only certain users. We recommend protecting all users with Duo.

  6. Click Save when done.

    LastPass Duo Policy

    The Duo Security policy is enabled and shows the number of days you entered into the "Value" box when creating the policy.

    LastPass Duo Policy Enabled
  7. The default LastPass policy for Duo Security assumes that your Duo usernames use email format (username@example.com). If your Duo usernames do not include email domain, you can modify the LastPass username format sent to Duo.

    Click the Add Policy button again, and select the Use username portion of email address as Duo Security username policy from the from the "Multifactor" section of the drop-down list. Check the box to enable this policy, then click Save.

    LastPass Duo Username Policy
  8. (Optional) LastPass Enterprise customers have the option of switching to the interactive authentication prompt.

    To enable the interactive Duo prompt, click the Add Policy button again, and select the Use Duo Web SDK when possible policy from the from the "Multifactor" section of the drop-down list. Check the box to enable this policy, then click Save.

    LastPass Duo Web SDK Policy

Refer to the LastPass Enterprise Manual for more information about using Duo with LastPass.

User Enrollment Process

Any LastPass user to whom you've applied the "Require use of Duo Security" policy must enable Duo at next vault login.

  1. Re-enter the LastPass password and click BEGIN ENABLING DUO SECURITY.

    LastPass Enable Duo
  2. The user must confirm their LastPass username.

    LastPass Confirm Username
  3. LastPass checks to see if the LastPass username is already enrolled as a Duo user. If not, then LastPass prompts the user to begin the Duo enrollment process in a new browser tab.

    LastPass Enrollment Prompt
  4. Close the Duo browser tab after successful Duo enrollment. LastPass notifies the user that multifactor setup is complete.

    LastPass User Enrolled
  5. LastPass administrators can see which users have enabled Duo multifactor from the "Users" page in the LastPass administrator console. Users who have completed Duo Security setup show the Duo logo in the "Multi-factor" column.

    LastPass Duo Users

User Login Experience

The Duo multifactor login experience for LastPass Enterprise users is the same as for Lastpass Free/Premium users if you did not enable the Duo Web SDK policy.

After completing multifactor setup, users see the Duo authentication prompt when they log in to LastPass. Users can approve a Duo Push authentication request from a smartphone or tablet, approve authentication over the phone, or enter a passcode generated via the Duo Mobile app, text message, or hardware token.

If you did enable the Duo Web SDK policy for your organization, browser logons to LastPass show the interactive Duo prompt, while mobile app logins continue to show the original LastPass multifactor prompt.

LastPass Web Authentication Prompt

When your LastPass Enterprise users view their multifactor options for Duo, the setting shows as enforced by company policy.

LastPass Duo User Multifactor Enforced

Troubleshooting

Need some help? Reach out to Duo Support for assistance with creating the LastPass application in Duo, enrolling users in Duo, Duo policy questions, or Duo authentication approval issues. For assistance configuring or managing LastPass please contact LastPass support.