Skip navigation
Documentation

LastPass

Last Updated: October 22nd, 2020

Contents

LastPass has partnered with Duo Security to bring two-factor authentication to LastPass logins, complete with inline self-service enrollment and Duo Prompt.

Overview

This document takes you through configuring your LastPass Free, Premium, or Enterprise account to use Duo Push. You'll sign up for a Duo account, set up LastPass to use your new Duo account, and enroll your LastPass username and your device for use with Duo's service.

Once you complete this process, Duo Security’s two-factor authentication platform protects access to your LastPass data by requiring approval when logging in to your LastPass Vault.

Connectivity Requirements

This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.

First Steps

  1. Sign up for a Duo account. The Duo Free plan is free for up to ten users with unlimited applications.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate LastPass in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

If you followed a Duo sign-up link from the LastPass site then we'll automatically create a LastPass application for you!

Duo Universal Prompt

Duo's next-generation authentication experience, the Universal Prompt, is coming to web-based applications that display the current Duo Prompt in browsers.

Migration to Universal Prompt for your LastPass application is a two-step process:

  • Update the LastPass application to support the Universal Prompt.
  • Enable the Universal Prompt experience for users of that LastPass application (when the Universal Prompt becomes available)

LastPass needs an update to support the Universal Prompt when it's ready, but the update isn't available yet. The "Universal Prompt" section reflects this status as "Waiting on App Provider". Please contact LastPass to request Duo Universal Prompt support for LastPass.

After LastPass makes the necessary changes available you may need to install an application update on your server, or log in to LastPass as an admin to enable Duo Universal Prompt support.

Universal Prompt Info - Update Not Yet Available

You'll later return to the settings on this page to activate the Universal Prompt for your LastPass users once we've released it.

Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support.

Read the Universal Prompt Update Guide for more information about the update process to support the new prompt, and watch the Duo Blog for future updates about the Duo Universal Prompt.

LastPass Free & Premium

Configure Duo Security

  1. Log in to your LastPass vault.

  2. Once logged in to LastPass go to Account SettingsMultifactor Options.

  3. Click the pencil icon to the right of the Duo Security multifactor option.

    LastPass Duo Configuration

  4. Configure the Duo Security options as follows:

    Option Value
    Enabled Select Yes.
    Permit Offline Access Set to Allow if you want access to your password vault even when LastPass is unreachable. For more information about this option please see the topic "Offline Access to Your LastPass Vault" in the LastPass User Manual.
    Use Duo Web SDK when possible The default setting (No) means that all types of clients see the same LastPass Duo prompt. If you'd like to enable the interactive authentication prompt for web browser logins to LastPass, change this setting to Yes.
    Integration Key Copy and paste in the integration key from the LastPass application you created earlier in the Duo Admin Panel.
    Secret Key Copy and paste in the secret key from the LastPass application you created earlier in the Duo Admin Panel.
    API Hostname Copy and paste in the API hostname from the LastPass application you created earlier in the Duo Admin Panel.

    Click Update when done.

    LastPass Duo Configuration

  5. Enter your LastPass password to confirm the change to your account.

    LastPass Duo Setup Verify

  6. If your LastPass email address is already enrolled in Duo there are no additional enrollment steps required.

    LastPass Duo Setup Account Enrolled

    If the email address you use to log on to LastPass is not enrolled as a user in your Duo account, LastPass prompts you complete Duo enrollment in a new browser tab.

    LastPass Duo Setup Enroll

    Follow the on-screen steps to complete device enrollment. Please see our user guide to enrollment for more information.

    LastPass Duo Setup Enroll

  7. You can close the Duo browser tab when you see the message "Enrollment successful!" The LastPass browser window displays a message letting you know your setup is complete.

    LastPass Duo Setup Complete

  8. Verify your LastPass account email address to apply all changes.

    LastPass Duo Setup Verify

  9. The Duo Security option now shows as "Enabled" on the LastPass Multifactor Options page.

    LastPass Duo Setup Verify

Instructions for configuring LastPass with Duo are also available in the LastPass User Manual.

Test Your Setup

Enable Hostname Whitelisting

If you plan to permit use of WebAuthn authentication methods (security keys, U2F tokens, or Touch ID), Duo recommends enabling hostname whitelisting for this application and any others that show the inline Duo Prompt before onboarding your end-users.

After completing multifactor setup, you'll see the Duo authentication prompt when you log in to LastPass. You can approve a Duo Push authentication request on your smartphone or tablet, approve authentication over the phone, or enter a passcode generated via the Duo Mobile app, text message, or hardware token.

LastPass Web Page and Browser Extension

The LastPass Duo multifactor window displays after entering your username and password in the LastPass for Applications login window.

If you left the "Use Duo Web SDK when possible" option at the default "No" setting, then you'll see the LastPass Duo prompt and at the same time a push authentication request appears on your mobile device if you've activated Duo Mobile.

If you click the "This computer is trusted..." option then you won't be prompted for two-factor authentication again from the same browser on that device.

LastPass Browser Duo Authentication

If you changed the "Use Duo Web SDK when possible" setting to "Yes", then you'll see the inline Duo Prompt.

LastPass Browser Duo Authentication

LastPass Mobile App

The LastPass Duo multifactor window displays after entering your username and password in the LastPass for Applications login window, and at the same time a push authentication request appears on your mobile device if you've activated Duo Mobile. You may approve the Duo Push request from the same device where you are logging into the LastPass mobile app.

If you click the "Trust this device?" option then you won't be prompted for two-factor authentication again by the LastPass app on that device.

LastPass Mobile App Duo Authentication

LastPass for Applications

The LastPass for Applications program is available for Microsoft Windows only. The LastPass Duo multifactor window displays after entering your username and password in the LastPass for Applications login window, and at the same time a push authentication request appears on your mobile device if you've activated Duo Mobile.

If you click the "This computer is trusted..." option then you won't be prompted for two-factor authentication again when logging in to LastPass for Applications.

LastPass Mobile App Duo Authentication

LastPass Enterprise

Configure Duo Security

  1. Log in to your LastPass vault as an enterprise administrator.

  2. Once logged in to LastPass click Admin Console in the left navigation pane.

  3. In the LastPass administrator console, click Settings on the left, then click Policies.

  4. Click the ADD POLICY button and then select the Require use of Duo Security policy from the "Multifactor" section of the drop-down list. Enter your the Duo Security information as follows:

    Option Value
    Value Enter the number of days between LastPass account creation and Duo authentication enrollment. Enter 0 to require Duo authentication immediately.
    Duo Security integration key Copy and paste in the integration key from the LastPass application you created earlier in the Duo Admin Panel.
    Duo Security secret key Copy and paste in the secret key from the LastPass application you created earlier in the Duo Admin Panel.
    Duo Security API hostname Copy and paste in the API hostname from the LastPass application you created earlier in the Duo Admin Panel.
  5. Use the Applies To: options to choose whether to enforce Duo two-factor authentication for all your LastPass users or only certain users. We recommend protecting all users with Duo.

  6. Click Save when done.

    LastPass Duo Policy

    The Duo Security policy is enabled and shows the number of days you entered into the "Value" box when creating the policy.

    LastPass Duo Policy Enabled

  7. The default LastPass policy for Duo Security assumes that your Duo usernames use email format (username@example.com). If your Duo usernames do not include email domain, you can modify the LastPass username format sent to Duo.

    Click the Add Policy button again, and select the Use username portion of email address as Duo Security username policy from the from the "Multifactor" section of the drop-down list. Check the box to enable this policy, then click Save.

    LastPass Duo Username Policy

  8. (Optional) LastPass Enterprise customers have the option of switching to the interactive authentication prompt.

    To enable the interactive Duo prompt, click the Add Policy button again, and select the Use Duo Web SDK when possible policy from the from the "Multifactor" section of the drop-down list. Check the box to enable this policy, then click Save.

    LastPass Duo Web SDK Policy

Refer to the LastPass Enterprise Manual for more information about using Duo with LastPass.

User Enrollment Process

Any LastPass user to whom you've applied the "Require use of Duo Security" policy must enable Duo at next vault login.

  1. Re-enter the LastPass password and click BEGIN ENABLING DUO SECURITY.

    LastPass Enable Duo

  2. The user must confirm their LastPass username.

    LastPass Confirm Username

  3. LastPass checks to see if the LastPass username is already enrolled as a Duo user. If not, then LastPass prompts the user to begin the Duo enrollment process in a new browser tab.

    LastPass Enrollment Prompt

  4. Close the Duo browser tab after successful Duo enrollment. LastPass notifies the user that multifactor setup is complete.

    LastPass User Enrolled

  5. LastPass administrators can see which users have enabled Duo multifactor from the "Users" page in the LastPass administrator console. Users who have completed Duo Security setup show the Duo logo in the "Multi-factor" column.

    LastPass Duo Users

User Login Experience

The Duo multifactor login experience for LastPass Enterprise users is the same as for Lastpass Free/Premium users if you did not enable the Duo Web SDK policy.

After completing multifactor setup, users see the Duo authentication prompt when they log in to LastPass. Users can approve a Duo Push authentication request from a smartphone or tablet, approve authentication over the phone, or enter a passcode generated via the Duo Mobile app, text message, or hardware token.

If you did enable the Duo Web SDK policy for your organization, browser logons to LastPass show the interactive Duo prompt, while mobile app logins continue to show the original LastPass multifactor prompt.

LastPass Web Authentication Prompt

When your LastPass Enterprise users view their multifactor options for Duo, the setting shows as enforced by company policy.

LastPass Duo User Multifactor Enforced

Troubleshooting

Need some help? Take a look at our LastPass Knowledge Base articles or Community discussions. For further assistance, contact Support.