It’s one of the first anxieties most security-conscious users have about Chromebooks – which password managers support it and will my preferred two-factor authentication (2FA) technology also be supported?
On a PC the answer would be yes on every count. All of the best-known password managers – LastPass, KeePass, Dashlane, 1Password, RoboForm – work on a PC with pretty much every browser and most though not always every authentication option on the market. Add a Chromebook and the choices diminish a bit which is one reason why we’d still recommend LastPass as the best solution for anyone wanting to work across PC, Chromebook, Linux, Apple and mobile at the same time without being hemmed in by annoying security compromises.
As long as you don’t mind paying the $12 (£8) annual subscription to upgrade from the free but less secure edition it is still the best password manager for multi-platform, multi-factor support. Depending on which authentication option is preferred, that $12 can end up buying a huge boost in security.
Regardless of which brand of password manager is used, two-factor authentication in some form should now be regarded as a must.
Sesame v Google Authenticator
A popular LastPass authentication option that comes with the paid edition is an application called Sesame that launches a dedicated application from any USB stick. It’s cheap (the cost of a USB stick) and incredibly simple but running as an executable this option won’t work with Chromebooks which run software as web apps.
The simplest Chromebook-compatible solution (also available with the free edition), is to use Google’s authenticator, which involves sending a code to an app running on an Android, iOS or BlackBerry smartphone. If Sesame is already in use, authenticator must be set as the default multi-factor option in the settings interface.
Pragmatically, LastPass allows devices to be trusted so the user doesn’t have to keep authenticating from that machine. While less secure, an encrypted vault can also be stored locally in case of connectivity problems.
LastPass supports other authentication systems, including Toopher, Duo, Transakt, and Grid, all of them on the free edition, so users willing to use their phone as the second factor are spoilt for choice.
A second supported option (on the paid version only) is to use one of Yubico’s YubiKeys, which are conceptually a sort of cross between a USB stick and a hardware token based on the FIDO U2F standard being promoted by Google and Yubico. Once enabled inside LastPass, this unique key can be used to log in from almost any platform running on any browser running the LastPass plug-in, including of course Chromebooks.
The advantage of a hardware token such as the YubiKey over Google’s Authenticator is twofold. First, it never requires codes to be read from a phone app and typed in. Instead the user simply plugs in the token when required, a slightly easier process. Second, there is no possibility of any kind of man-in-the-middle attack via the phone itself to steal codes (although because they are one-time password (OTP) codes, this is more of an theoretical issue than a present danger).
Again, if you’re already using one of the other technologies the YubiKey must be enrolled and set as the default access method. As with Authenticator, if the Chromebook or PC is marked as trusted inside LastPass there is no need to plug in the YubiKey this every time the Password Manager is used, a small but worthwhile concession to convenience.
The downside is you have to buy one, which costs from $18 to $50 depending on the version. This raises the question of which YubiKey is most appropriate for a Chromebook + PC owner already using LastPass. From Yubico’s comparison chart it is possible to see that the entry-level FIDO U2F model supports authentication on Google accounts as long as you use the Chrome browser (Google describes this support on its website) and WordPress but not alas for LastPass.
Enabling the latter requires buying the $25 (£20) YubiKey Basic Standard. There is also a top-of-the line Neo version, which adds a raft of more complex features including NFC support although for using LasPass with a Chromebook this is probably overkill. Up to five YubiKeys can be associated with one account.
If you’re a LastPass user running more than one browser across PCs, Macs and Chromebooks, the YubiKey Basic Standard is probably the easiest bullet-proof way to start using two-factor authentication without making life inconvenient. It requires an investment in a paid LastPass account plus the one-off cost of the token itself but the step up in security is considerable.
As a bonus, the YubiKey can also can be used to secure Google accounts as long as you stick to the Chrome browser.