Overview

This document takes you through configuring your LastPass Free, Premium, or Enterprise account to use Duo Push. You’ll sign up for a Duo account, set up LastPass to use your new Duo account, and enroll your LastPass username and your device for use with Duo’s service.

Once you complete this process, Duo Security’s two-factor authentication platform protects access to your LastPass data by requiring approval when logging in to your LastPass Vault.

First Steps

1. Sign up for a Duo account. The Duo Free plan is free for up to ten users with unlimited applications.
2. Log in to the Duo Admin Panel and navigate to Applications.
3. Click Protect an Application and locate LastPass in the applications list. Click Protect this Applicationto get your integration key, secret key, and API hostname. (See Getting Started for help.)

If you followed a Duo sign-up link from the LastPass site then we’ll automatically create a LastPass application for you!

LastPass Free & Premium

1. Log in to your LastPass vault.
2. Once logged in to LastPass go to Account Settings → Multifactor Options.
3. Click the pencil icon to the right of the Duo Security multifactor option.

   

4. Configure the Duo Security options as follows:

   Option	Value
   Enabled	Select Yes.
   Permit Offline Access	Set to Allow if you want access to your password vault even when LastPass is unreachable. For more information about this option please see the topic “Offline Access to Your LastPass Vault” in the LastPass User Manual.
   Use Duo Web SDK when possible	The default setting (No) means that all types of clients see the same LastPass Duo prompt. If you’d like to enable the interactive authentication prompt for web browser logins to LastPass, change this setting to Yes.
   Integration Key	Copy and paste in the integration key from the LastPass application you created earlier in the Duo Admin Panel.
   Secret Key	Copy and paste in the secret key from the LastPass application you created earlier in the Duo Admin Panel.
   API Hostname	Copy and paste in the API hostname from the LastPass application you created earlier in the Duo Admin Panel.

   Click Update when done.

   

5. Enter your LastPass password to confirm the change to your account.

   

6. If your LastPass email address is already enrolled in Duo there are no additional enrollment steps required.

   

   If the email address you use to log on to LastPass is not enrolled as a user in your Duo account, LastPass prompts you complete Duo enrollment in a new browser tab.

   

   Follow the on-screen steps to complete device enrollment. Please see our user guide to enrollment for more information.

   

7. You can close the Duo browser tab when you see the message “Enrollment successful!” The LastPass browser window displays a message letting you know your setup is complete.

   

8. Verify your LastPass account email address to apply all changes.

   

9. The Duo Security option now shows as “Enabled” on the LastPass Multifactor Options page.

   

Instructions for configuring LastPass with Duo are also available in the LastPass User Manual.

Test Your Setup

After completing multifactor setup, you’ll see the Duo authentication prompt when you log in to LastPass. You can approve a Duo Push authentication request on your smartphone or tablet, approve authentication over the phone, or enter a passcode generated via the Duo Mobile app, text message, or hardware token.

LastPass Web Page and Browser Extension

The LastPass Duo multifactor window displays after entering your username and password in the LastPass for Applications login window.

If you left the “Use Duo Web SDK when possible” option at the default “No” setting, then you’ll see the LastPass Duo prompt and at the same time a push authentication request appears on your mobile device if you’ve activated Duo Mobile.

If you click the “This computer is trusted…” option then you won’t be prompted for two-factor authentication again from the same browser on that device.

If you changed the “Use Duo Web SDK when possible” setting to “Yes”, then you’ll see the inline Duo Prompt.

LastPass Mobile App

The LastPass Duo multifactor window displays after entering your username and password in the LastPass for Applications login window, and at the same time a push authentication request appears on your mobile device if you’ve activated Duo Mobile. You may approve the Duo Push request from the same device where you are logging into the LastPass mobile app.

If you click the “Trust this device?” option then you won’t be prompted for two-factor authentication again by the LastPass app on that device.

LastPass for Applications

The LastPass for Applications program is available for Microsoft Windows only. The LastPass Duo multifactor window displays after entering your username and password in the LastPass for Applications login window, and at the same time a push authentication request appears on your mobile device if you’ve activated Duo Mobile.

If you click the “This computer is trusted…” option then you won’t be prompted for two-factor authentication again when logging in to LastPass for Applications.

LastPass Enterprise

Configure Duo Security

1. Log in to your LastPass vault as an enterprise administrator.
2. Once logged in to LastPass click Admin Console in the left navigation pane.
3. In the LastPass administrator console, click Settings on the left, then click Policies.
4. Click the ADD POLICY button and then select the Require use of Duo Security policy from the “Multifactor” section of the drop-down list. Enter your the Duo Security information as follows:

   Option	Value
   Value	Enter the number of days between LastPass account creation and Duo authentication enrollment. Enter 0 to require Duo authentication immediately.
   Duo Security integration key	Copy and paste in the integration key from the LastPass application you created earlier in the Duo Admin Panel.
   Duo Security secret key	Copy and paste in the secret key from the LastPass application you created earlier in the Duo Admin Panel.
   Duo Security API hostname	Copy and paste in the API hostname from the LastPass application you created earlier in the Duo Admin Panel.

5. Use the Applies To: options to choose whether to enforce Duo two-factor authentication for all your LastPass users or only certain users. We recommend protecting all users with Duo.
6. Click Save when done.

   

   The Duo Security policy is enabled and shows the number of days you entered into the “Value” box when creating the policy.

   

7. The default LastPass policy for Duo Security assumes that your Duo usernames use email format (username@example.com). If your Duo usernames do not include email domain, you can modify the LastPass username format sent to Duo.

   Click the Add Policy button again, and select the Use username portion of email address as Duo Security username policy from the from the “Multifactor” section of the drop-down list. Check the box to enable this policy, then click Save.

   

8. (Optional) LastPass Enterprise customers have the option of switching to the interactive authentication prompt.

   To enable the interactive Duo prompt, click the Add Policy button again, and select the Use Duo Web SDK when possible policy from the from the “Multifactor” section of the drop-down list. Check the box to enable this policy, then click Save.

   

Refer to the LastPass Enterprise Manual for more information about using Duo with LastPass.

User Enrollment Process

Any LastPass user to whom you’ve applied the “Require use of Duo Security” policy must enable Duo at next vault login.

1. Re-enter the LastPass password and click BEGIN ENABLING DUO SECURITY.

   

2. The user must confirm his or her LastPass username.

   

3. LastPass checks to see if the LastPass username is already enrolled as a Duo user. If not, then LastPass prompts the user to begin the Duo enrollment process in a new browser tab.

   

4. Close the Duo browser tab after successful Duo enrollment. LastPass notifies the user that multifactor setup is complete.

   

5. LastPass administrators can see which users have enabled Duo multifactor from the “Users” page in the LastPass administrator console. Users who have completed Duo Security setup show the Duo logo in the “Multi-factor” column.

   

User Login Experience

The Duo multifactor login experience for LastPass Enterprise users is the same as for Lastpass Free/Premium users if you did not enable the Duo Web SDK policy.

After completing multifactor setup, users see the Duo authentication prompt when they log in to LastPass. Users can approve a Duo Push authentication request from a smartphone or tablet, approve authentication over the phone, or enter a passcode generated via the Duo Mobile app, text message, or hardware token.

If you did enable the Duo Web SDK policy for your organization, browser logons to LastPass show the interactive Duo prompt, while mobile app logins continue to show the original LastPass multifactor prompt.

When your LastPass Enterprise users view their multifactor options for Duo, the setting shows as enforced by company policy.

Troubleshooting

Need some help? Take a look at our LastPass Knowledge Base articles or Community discussions. For further assistance, contact Support.