Web Analytics

FireOak Strategies Blog

Insights and articles related to knowledge management, information security, technology, data and analytics, business process automation, platform management, and other related topics, from our experienced team of consultants.

< Back to FireOak Blog

LastPass Authenticator Security Evaluation

In March of 2016, LastPass announced the availability of LastPass Authenticator, an app that provides push-based multi-factor authentication (MFA) for users of their password management service.

Eric Smith is the Chief Technologist and Chief Information Security Officer (CISO) for FireOak Strategies, LLC. You can reach Eric at [email protected] or follow him on Twitter at @FireOakCISO.


In March of 2016, LastPass announced the availability of LastPass Authenticator, a new smartphone app that provides push-based multi-factor authentication (MFA) for users of their cloud-based password management service.

Multi-factor authentication is an essential component of any robust authentication system, so we were pleased to see that LastPass has made this tool available. Even so, there are several other existing and competing multi-factor authentication systems that are compatible with LastPass, so it is important to understand what the new authenticator tool can do and how it stacks up against its competition.

Compatibility with Google Authenticator

During the device enrollment process, LastPass Authenticator automatically configures a time-based, one-time password (TOTP) implementation that is compatible with Google Authenticator. The changing numeric output of the TOTP implementation can be used in the event that the device which is running LastPass Authenticator has no data access at the time an authentication is needed.

In addition, LastPass Authenticator can be used to scan Google Authenticator QR codes and vice versa. The TOTP implementations are identical, and the Google Authenticator app seems happy to ignore the custom LastPass fields included in the enrollment barcode.

Comparison with Duo Security

LastPass Authenticator bears a striking resemblance to the Duo Security model. Both systems use client-push technology on a smartphone or tablet as the default method for secondary authentication. Unlike Duo, however, the the LastPass Authenticator can’t be deployed in the user-friendly client push mode with other sites or services.

FireOak Strategies Recommendation

While LastPass Authenticator provides convenient multi-factor authentication into LastPass for for individuals and small departments, enterprise clients looking to maintain a unified MFA deployment are urged to continue using Duo to secure their LastPass Enterprise deployments. Duo in particular is highly extensible and can be applied to a whole host of other systems, making it a better fit within a unified, enterprise-wide deployment.

In-depth details of the technical analysis are available in this follow-up post.
Read more about our Information Security program.

FireOak Strategies is a boutique consulting firm that helps organizations manage, secure, and share their knowledge. We bring clarity to complexity, look for elegant and simple solutions, and make sure that organizations are focused on solving the right problems. Learn more…

Manage, secure, and share your organizational knowledge


Browse articles by topic:


Read more articles:

More from the FireOak team about managing, securing, and sharing knowledge