One Password Manager To Rule Them All: LastPass, Part 5
You’re all set up with LastPass, but there is one, huge problem. How exactly do you best use LastPass on a mobile device? Furthermore, if you are using a YubiKey for multifactor authentication, how do you register new mobile app installs on devices that, by default, do not have standard USB ports?
These are all important questions that are going to be addressed in the final post of TechEdified’s LastPass series.
Note: LastPass has apps available for practically every extant mobile platform, but since the overwhelming majority of people use either iOS or Android, I am going to limit the scope of this article to those two operating systems.
Since you’ve made it this far, I’m going to assume that you’ve thoroughly read through every post in this series, that you understand the importance of having multifactor authentication enabled, and that you have configured your second factor to allow access from mobile devices. Right?? (gulp)
The best place to start with your LastPass mobile setup is back in your Account Settings. Within this tab is a key setting for ensuring that your LastPass account is secure. By default, if you’ve enabled mobile devices from the Multifactor Options tab, you should be able to log into LastPass from any mobile device with just your email address and LastPass Master Password. Also, this means that if your credentials are compromised, anyone can log into your Vault from any mobile device without your second factor.
Obviously, this is a weakness in the LastPass system we’ve configured. Luckily, it can be easily addressed. Open your Account Settings and click on the Mobile Devices tab. Now, check the box that is labeled Restrict mobile devices to the specific UUIDs listed as enabled below:. Now, access to your LastPass Vault via mobile apps is locked down and restricted to the specific mobile devices you’ve previously enabled.
So, how do we enable a mobile device? Whenever you need to do a fresh install of the LastPass mobile app, go to the Mobile Devices tab of your Account Settings and uncheck the Restrict mobile devices to the specific UUIDs listed as enabled below: box. Now, close out of your Account Settings and log into LastPass from your mobile device.
After you’ve successfully logged into LastPass from the mobile app, go back to the Mobile Devices tab in your Account Settings. You will see that your mobile device and its UUID has been registered with LastPass. Click Enable under the Action column and re-check the Restrict mobile devices to the specific UUIDs listed as enabled below: box.
I know that this might seem laborious, but it is something you only have to do when first configuring LastPass on a new mobile device. From now on, logging into the mobile app will be no different than logging into the browser extension, and you can rest assured that no one can access your Vault from their own mobile device, even if your account credentials are compromised.
Now that we’ve covered the mobile LastPass setup, we need to get into the actual mobile apps. Although they might look a bit different from the implementations of LastPass we’ve already covered, they are pretty full-featured, and you can accomplish many of the same tasks the full-featured counterparts offer, even when on-the-go (e.g., Adding/Editing/Removing Sites, Secure Notes, Password Generation, etc.).
The iOS implementation of LastPass involves at least two different apps, (1) the eponymous LastPass app, and (2) LastPass’s dedicated iOS web browser, LastPass Tab. They each have their strengths and weaknesses, and which product ultimately becomes your iOS app of choice really depends on you.
The LastPass iOS app is analogous to what you get when you log into your Vault in a traditional web browser. It is your password database, your Secure Notes, and all the other information you’ve decided to store with LastPass. Here, you can quickly search for a particular web site, and view, edit, and copy its credentials.
Yes, I said copy your credentials, and due to the inherent iOS restrictions on inter-app communication, you’re going to be doing a lot of copying, if you decide to use this app as your primary way of interacting with LastPass on iOS. Whether your main browser of choice is Safari, Chrome, or one of the many other third-party alternatives available, an extension is not an option. So, the first time you visit a site in your iOS browser and you need to log in, you will need to switch to the LastPass app, log in, search for the site, copy its credentials, switch back to your browser, and paste them in.
Now, LastPass does have a bookmarklet available that you can install in your browser of choice. When you visit a site you need to log into, tap the bookmarklet and it will open the site (and fill in the requisite authentication information) inside of the LastPass app itself. Personally, I don’t like this option. I download and use iOS browsers, like Chrome, because I prefer their interface and unique features, relative to the platform’s default option, Safari. I don’t want to view sites through the LastPass app; I want the native iOS Chrome experience. So, most of the time, I end up manually copying and pasting the required information into the Chrome browser itself.
LastPass Tab is a standalone iOS web browser created by LastPass. It’s not the prettiest or most user-friendly app, but it has one huge advantage over the regular LastPass app, autofill. So, try to imagine that LastPass Tab is just like your traditional browser with the LastPass extension installed. You open it up, log in to LastPass, and now, when you navigate to a site that you have credentials for in your Vault, LastPass Tab automatically fills in the information, just like when you’re using your regular browser.
This is as convenient as LastPass gets on iOS, at least for now. The only major downside is that you are required to use their clunky web browser.
The Glory of LastPass + Android
The LastPass implementation on Android is, quite frankly, vastly improved over the iOS experience, and is as close as you can get to the traditional desktop/laptop LastPass experience on a mobile device. As with iOS, there is an element of app switching, but if you tweak one setting in the LastPass app, you can use Android’s superior Notification System for some seriously awesome LastPass action.
How does this work? After you install the LastPass app, open it up, tap the three dot menu icon, and select More | Preferences. Next, scroll down to Default Site Action:, tap it, and select Add Copy Notification. Now, no matter what browser you decide to use on Android (and there are MANY excellent choices), when you need any of your credentials, switch over to the LastPass app, log in, find the site of interest, and tap it. The site’s user name and password will automatically be copied to your Notification Area.
Once you switch back to your browser, you can simply swipe down and tap each entry to copy the site’s username/password. This might not sound vastly different from iOS’s implementation, but believe me, once you’ve lived with both solutions for some time, you’ll appreciate how silky smooth and functional Android’s approach is (btw, once you are done with those credentials, make sure you dismiss them from the Notification Area).
Of course, since this is Android, there are a handful of other, even potentially more streamlined approaches to using LastPass. For example, you can switch Android’s default keyboard to the LastPass keyboard, and, once you log in, you get the convenience of autofill, regardless of which app you’re using. In addition, there are Android browsers (e.g., the venerable Dolphin Browser) that allow extension installation, and have excellent LastPass Add-Ons available, which results in an experience that is practically identical to LastPass on traditional computing platforms.
The main point is that, because of the built-in flexibility of the Android platform, you have a plethora of options available for how you decide to implement your LastPass solution on your mobile device.
It may have taken many months, but we are, finally, at the end. I’ve covered what I feel are the absolute necessities for incorporating LastPass into a modern, digital lifestyle. I can’t state how important it is for people to start adopting a security-aware mindset. If you don’t take control of your digital life, someone else will, and the months or years it takes to recover may have deleterious, long-term consequences on the lives of you and your loved ones.
I appreciate getting feedback, so if you have any questions, corrections, or suggestions on anything I’ve covered, please feel free to contact me or leave a comment.