Using YubiKeys with LastPass


To use a YubiKey with LastPass, you need to have a LastPass Premium, Families, Enterprise or Teams account.

Any YubiKey configured with a Yubico OTP works with LastPass (with the exception of the Security Key and the YubiKey Bio, which supports FIDO protocols only). The Yubico page on the LastPass site lists the benefits of using YubiKey to protect your LastPass account. For instructions on how to associate your YubiKey with your LastPass account, see YubiKey Multifactor Authentication in the LastPass user manual.

 

The LastPass Mobile Device Application supports YubiKey two-factor authentication via both direct connection (USB, Lightning, etc.), and via NFC for NFC-enabled YubiKeys (e.g. YubiKey 5 NFC) on Android and iOS mobile devices.

Please note that if you plan to use the YubiKey with your iPhone via NFC, then you will want to be sure that you are using an iPhone 7 or newer on iOS 11 or greater with LastPass for iOS version 4.4.4.2222 or greater.

 

If you are running into any issues with setting up your YubiKey with LastPass, we have listed a few common questions below in our Troubleshooting section.

Troubleshooting

“Why does logging into LastPass with my YubiKey fail on iPhone/iPad, but works just fine on my computer?”

You seem to be experiencing an issue we have seen with certain versions of iOS 15. 

The basic premise is that, on devices running certain versions of iOS 15, the first 1 or more characters of the YubiKey's typed output will be completely ignored, when connected over direct Lightning. That is, connected to a Lightning port without using an adapter, meaning this should only apply to the YubiKey 5Ci. With Yubico OTP, this causes OTPs to become invalid (because they are missing one or more characters), which will cause issues logging in to services that use Yubico OTP, like LastPass.

Please update your iOS version and see if that resolves the issue.

“When attempting to setup my YubiKey in LastPass, I received the message ‘Something went wrong. At least one Yubikey token failed to validate’, how do I fix this?”
**Note: If you are setting this up on iOS, then as a first step, please ensure that you have updated your iOS to the most recent version if you have not done so already. If that does not work then please follow the rest of the steps below.

Please run through the test on this site. If you receive the error Failed to validate OTP, please click the OTP itself (e.g. vvccccbeljhhedkthdvthktvkkfullnfvitkicdvveji) under Previously validated OTPs, to reveal a more specific error message.

If this error message is "NO_VALID_ANSWERS", then the credential used to generate the OTP is not known to our servers, meaning it will need to be uploaded (LastPass uses our servers for Yubico OTP validation). This can be done here, but if you do not have the parameters needed to fill out the form on this page, you can alternatively program and upload a new credential; see our article on this here.

 

If the revealed error message is something other than "NO_VALID_ANSWERS", please let us know by submitting a support ticket here.

“When I touch my key for usage in LastPass, it does not produce a string of letters”
Please be sure that you are using a key that is compatible with LastPass. A list of compatible devices can be found under Compatible devices at the top of this page.

 

LastPass utilizes Yubico OTP for its security protocol, so you want to make sure that you are using a key that supports this feature. The (blue) Security Key Series keys and the YubiKey Bio do not support Yubico OTP and are therefore not compatible with LastPass. Whereas our YubiKey 5 Series keys do support Yubico OTP and are usable with LastPass.

 

If you are using a YubiKey that is compatible with LastPass, then you will want to check if there is anything configured on your YubiKey’s OTP application. The YubiKey has both a short touch (Slot 1) and a long touch (Slot 2). If you find that no matter how long you touch the key, nothing is produced, then you will want to check the YubiKey configuration. One way to do so is in the YubiKey Manager under Applications > OTP (pictured below).

Screen_Shot_2022-09-23_at_11.55.53_AM.png

As you can see in the above picture, only one of the slots (Slot 2 ) is currently programmed. Each configuration slot in the YubiKey's OTP function can hold up to one credential of one of the following types:

  • Yubico OTP
  • Challenge-Response
  • Static Password
  • OATH-HOTP

In other words, Slot 2 can store a Yubico OTP credential, or a Challenge-Response credential. Or it could store a Static Password or OATH-HOTP. However, it cannot store multiple of the above types concurrently. Slot 1 operates the same way. What this means is that if you are not able to produce a Yubico OTP from either a short or a long touch, then you may need to program a new one onto your YubiKey as the currently configured slot could be programmed for something else. In which case if you have an empty slot, you may want to consider configuring it there first instead of overwriting an existing slot. To do so, please follow our article on this here.

 

“My YubiKey has stopped working, and does not work on multiple devices”

Please follow the instructions found here. If you still run into issues with using your key, submit a support ticket here, with information on the issue (such as what you have tried so far and any applicable screenshots).