Yubikey with Lastpass

I’ve previously noted my experience requiring a Yubikey to open my VanGuard accounts.

I am pleased to learn my Yubikey to open Lastpass. Recent stories claim Lastpass “might” have been cracked. No proof yet.

I could post my Lastpass name & p/w, but nobody could not open without my Yubikey.

Everyone should use some variation of 2FA for all financials, and I think Yubikey is one of the best.

1 Like

The concern with the latest Lastpass hack is that a hacker was able to download actual user password vaults.

Yes, everyone should use 2FA and prefer an app like MS Authenticator for OTP over the more common solution of using SMS. The YubiKey is just a much stronger key for 2FA. The future of password is going to be Passkeys:

But…“While user password vaults are still protected by their master passwords, the hacker may try brute force, phishing, or social engineering attacks.”

In my case, that means somehow getting my 16 digit pw of numbers, symbols, upper/lower letters, AND THEN get my Yubikey for that code. Foolproof? Of course not, but I feel safe.

I use Lasspass and 2 factor authentication. After reading this post, I am reading about possible additional steps including Yubikey (hardware authentication) and app authentication. Trying to keep with security stuff is painful for me so I try to remember that “a stitch in time saves nine”

I dont think so…if they have already downloaded the vault, they only need to crack the Master password. The 2FA only protects access to the passwords while accessing them through Lastpass security.

True, but that’s why we must have long 12-16 complex digits, a mix of random upper/lower letters, numbers, symbols.

It’s painful and frustrating for everyone. And the hackers work 24/7/365 to find ways for accessing our private stuff.

It never ends.

With all the hacks I doubt I would ever trust anyone with my passwords especially a 3rd party for profit corp. They all seem to be getting hacked.

Agree, but at last count, I have +450. Yes, I could create my own file encryption, but having to de-crypt for every site would take a lot of time and energy.

1 Like

I have 2 credit cards, 1 bank, one investment account. The PWs for these are memorized and locked away. I use one desk computer to access only these accounts. I keep my phone as close as my wallet and store some PWs there embedded with data that is only obvious to myself. For non-important sites I just use a common memorable PW. This works well for me. When I croke, the people that will take care of my/our finances know where to look.

Yubikey is great as long as you get 2-3 of them in case you lose one. Keep the spare in a safe spot easy to get to.

Exactly what I did, I have two [one well hidden] and son has one.

Was looking to get something like a yubikey, but in reading it seems things are moving towards passkeys. I don’t quite understand everything, but will that make HW keys obsolete? Or, at least passkeys are an alternative where you wouldn’t need HW keys if you want increased security?

Well, if you understand passkeys, you are years ahead of me! I tried to get a clear [for dummies] explanation of passkeys, and more confused now.

This is one explanation and I don’t understand any of it.

I did not follow everything in that article, but some of it, and other things I’ve read, sounds like the Public/private key authentication method used in many data communications today. They did mention that when you first login to something that requires the “passkey” authentication method discussed in the article, then a physical key could be used to verify the user, but then once the passkey is created then that would no longer be needed until the passkey expires and you need to generate a new one. You could use other methods to verify a user, like finger print.

In general, I’m not seeing where a HW key will be absolutely necessary in the future. As I understand it today, the HW key currently replaces the 2-factor authentication I currently use on my phone via VIP Access, MS Authenticator, or others. I didn’t really want to spend the $ on a couple of them if they’re going to be rendered optional or obsolete in the near future. I’m fine using my phone for 2FA at the moment.

If someone knows this is incorrect, please chime in.

It was a total fog to me. I did several google searches and every time got a wall of links [mostly sales] and most of those sent me to more walls of links. I never did find a “passkeys for dummies” simple explanation.

I have not seen a clear explanation how the Yubikey in my pocket could be hacked.

Maybe there are other ways, but I think someone would need to be able to create a duplicate physical Yubikey of yours so they could plug it in their device, or steal yours I guess. It would need to have the same security codes in it that yours does so that it could generate the identical 2FA codes. I would put this in the extremely unlikely category. Someone would have an easier time getting someone’s phone that they use for generating 2FA codes via the applications.

Some of the issues I see now with the HW keys is you really need more than one in case one breaks, is lost, or stolen. Then you have to securely store it somewhere and remember where you stored it.

Even if they somehow duplicated, or stole, my Yubikey, they would also need the code [which I originally set]. When accessing my vault, after the typical name / password, I plug in the USB Yubikey.

That generates a blank box for the Yubikey code. If correct, then and only then, is the Yubi active, and then I press it’s button and my vault is visible.

Foolproof? Of course not…!!! But unless the hacker can successfully manage all those steps in sequence, my vault should be safe.

[but I am certainly open to perhaps better security]

That helps me understand how it’s used as it wasn’t totally clear since I don’t have one yet. Maybe it would be worth getting one. If it breaks or I lose it I should be able to call Fidelity or Schwab to change the security setup since they would recognize my voice for security purposes.

The Yubi can be used on many places, not just one. I also use it for my Vanguard acct and others. And I do have more than one–just in case.