I’ve recorded my enthusiasm for Lastpass here before. It’s a browser plugin that remembers all your passwords for you and stores them securely on the web. It can enter login credentials automatically and effectively provides you with a single sign-on across the web.
Of course, you need a password to secure all this. Lastpass provides a variety of ways to keep your encrypted password collection secure. One of them is a hardware device called a Yubikey, made by Yubico in Sweden.
In a nutshell, it’s a chip with a USB connector and a button and it functions as a keyboard and emits an identifier and a unique password whenever the button is touched for a second or so.
In principle it means that even if you use a PC with malicious software installed on it your login details can’t be compromised. The passwords it issues are one-time passwords and are not reused.
If the site you log into supports two-factor authentication (something you have and something you know, i.e., a key and a password) then possession of the key alone will not provide access.
The lastpass screencast here shows it nicely (click on How to use LastPass with a YubiKey) and answers the inevitable question
But what if I lose it?
What finally pushed me to try out this was Fastmail’s decision to support it (announced here) — on their beta server for now.
So, I looked to order one and I ended up taking advantage of a special offer which expires this month: two Yubikeys and a Lastpass account for $40. At that price the keys are $14 each, which for serious security is a bargain.
The keys arrived the following day by registered mail — they clearly didn’t come from Sweden.
It works beautifully and is strangely satisfying to use.
The only problem I had was that two-factor authentication didn’t work with Fastmail if a single-factor Yubkikey login was also configured among the alternative logins.
You can tell Lastpass that your home computer is secure and that you don’t need to use the Yubikey with it, and when traveling you can fetch it out of your wallet and use it on other systems with some peace of mind.
Unless someone gains access to the key, and your lastpass password, or your lastpass password and your email account, your passwords are secure.
I think I might have preferred a key in the form of a USB stick with a retractable connector, like the Cruzer USB memory sticks, and a hidden purpose. But that’s a minor quibble. (I can’t put it on my keyring because I have a memory stick there already and one would have to come off to enable both to be used simultaneously).
How much do I like it? Enough that I would change banks for it. It’s a lot better than entering selected letters from my memorable word + decoy characters (or vice versa) when logging in to my account.
It might be the gadget of the year. It’ll surely be a contender in the bang for the buck department. But the special offer ends this month.
Update: it will not work with the new iPad — it has no USB port!

