Protect your passwords with two-factor authentication

If you're going to use a password manager from a mobile computer that travels outside of your office, two-factor authentication can provide an extra layer of security. This is particularly important if you use a product designed to synchronize your password data with other devices by way of a master database hosted in the cloud, as LastPass does.

Of the four password management programs I reviewed this week, LastPass was the only one to support two-factor authentication (I'll post a link to the full review on Monday, when it launches). In fact, it offers three different options for two-factor authentication. Each provides an additional layer of security on any Windows, OS X or Linux machine by requiring you to present something you have -- in this case a program or key that generates a one-time password at login time -- as well as something you know: your user ID and master password that unlocks your password database.

Two-factor authentication can provide an extra layer of security for laptops that travel with you on the road or if you plan to access your password database from unsecured machines, which could contain malware (You can also enter your credentials using an optional screen keyboard feature, available on  LastPass and some other password managers, to help thwart key loggers. But that's far from foolproof.)

If you'd prefer not to have to use two-factor authentication when in the office, you can turn off the feature for trusted machines, such as a home or office desktop computer.

LastPass offers three choices for two-factor authentication. One, called Grid, is free. Two others, Sesame and YubiKey, require a LastPass Premium subscription as well as a USB key.

When you enable multifactor authentication, you enter your user ID and master password before LastPass prompts you to enter your multifactor authentication code. You then present a randomly generated, one-time password, which you read from a printed Grid, or that the Sesame program or a YubiKey USB key device generate for you. Because the authentication code changes each time, it can't be used again if a key logger or other malware discovers it.

Option 1: Grid

The Grid feature is free. It works well enough if you don't have to use it often. For repeated logins, however, it's a pain in the neck to find the coordinates on the chart and type them into four separate fields in the authentication dialog box. But again, you can configure LastPass to not require it on trusted machines you specify. Here's how Grid works:

When you enable the feature, LastPass creates a randomly generated "Battleship game style" grid of alphanumeric coordinates that you print and put in your wallet.

LastPass Grid Printout

Don't try this at home if you need glasses: LastPass' 3x5 inch grid will fit in a wallet if you fold it in two, but it's not resizable and the back and forth involved in entering data from four coordinates into four fields in the authentication dialog is tedious.

LastPass Grid Authentication Dialog

Each time you log in on a machine that requires two-factor authentication, LastPass asks for your user name, master password, and the data located at four randomly selected coordinates on the grid. You type the characters by tabbing between four fields in the dialog box. While the coordinates requested each time are random, the grid is finite and a hacker who has monitored your use might, over time, be able to map out your grid. Therefore, it's important to periodically generate a new grid. (LastPass reminds you after 100 uses).

While Grid is free, I found the system cumbersome to use. And like Sesame and YubiKey, it has one rather glaring limitation: It doesn't work with the iPad, iPhone or other mobile devices. If you use those devices, each will continue to have access using only a user ID and password unless you specifically block them. (Smart phone access can also be restricted by adding the device's unique device identification code, known as a Universally Unique Identifier, or UUID, on a white list of approved devices. However, it's theoretically possible, though probably unlikely -- that someone could spoof your device's UUID to bypass this security feature).

Option 2: Sesame

Sesame is a random password generation program, available in Windows, Mac and Linux versions, that automatically enters a one-time password and logs you into LastPass. You'll need to upgrade from the free version of LastPass to LastPass Premium ($12 per year) to use Sesame or YubiKey.

Sesame is much faster and easier on the eyes than using a printed grid. You can configure Sesame to restrict access by mobile devices as well as to local copies of password data. The program can run locally on any computer, but it's really designed to run from a USB device alongside LastPass and a portable browser.

LastPass Sesame Dialog

Sesame is not integrated into LastPass but is a separate app you run each time you want to log into your account. Add your account to Sesame, click "Generate a one-time password" and Sesame launches your browser and brings up the LastPass Login screen. Enter your master password and you're done. Alternately, you can send the password to the clipboard and paste it into the login screen when prompted.

Option 3: YubiKey

YubiKey (which I did not test) is a dedicated USB key with a button on it that you press to submit a one-time password each time you log in. LastPass authenticates the one-time password by way of YubiKey's third-party service.

The YubiKey approach is more secure than Sesame because it is a read-only device that simply generates keystrokes as output: It can't be infected with malware, as Sesame could on a regular USB drive. But with Sesame you can use your own USB drive. YubiKey is a dedicated hardware device that you purchase from YubiKey for $25 per key.

All three techniques will be more than adequate for the average person's needs, so choosing is a matter of convenience. The most secure combination on untrusted machines is to use two USB keys: One hosting the portable browser/LastPass software and a YubiKey. But you may not always have two USB ports handy.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon