[SECURITY HOW-TO] How anyone can avoid losing access to their Steemit Account with LastPass and Duo

Set up a Password Manager with Out-of-Band Authentication to Secure your Steemit Account



Steemit accounts are growing in value rapidly, making them a desirable target for attackers looking to make a quick buck. Whether by spear-phishing (harpooning?) whales in order to compromise your computer, or by brute-force guessing your password via a dictionary attack, when there is hard-earned SD on the line, extra precautions should be taken in order to prevent takeover and loss of your funds. One easy way to give your account security a major upgrade is to require a second factor to login to your password manager vault. I'll show you how to achieve this in the following tutorial by using LastPass as a password manager, coupled with Duo as a multi-factor authentication provider.

Step #1: Download LassPass and Create an Account


  1. Go to the LastPass homepage and download the browser extension by clicking "Get LastPass Free."

  2. Go here to create a LastPass account. Note: make sure that your master passphrase is strong and unique. And whatever you do, don't lose it! I suggest a memorable 4 to 5 word phrase that you invent yourself on the spot. (i.e. 3Dwordsmithpranksterhelper DON'T USE THIS)

  3. Log into LastPass from your browser by clicking the extension.

Step #2: Change Your Steemit Password and Add It to LastPass

  1. Login to your Steemit account and navigate to your profile's password reset page and copy the generated password.

  2. Next, save the newly generated password. To do this, open LastPass by clicking on the extension and then "Sites."

  3. Now, click on "Add Site".

  4. Paste your password into the password field and continue to fill out the rest of the site details. Make sure "Require Password Reprompt" is checked under Advanced Settings.

Step #3: Integrate Duo and LastPass.

  1. Go to the Duo signup app here and register for a free personal account. Be sure to select "Just Me" for number of users.

  2. After you are signed up, log into the Duo admin panel, navigate to the "Applications" tab and click the blue "Protect an Application" button

  3. Search for LastPass and click the "Protect This Application" link.

  4. You're almost there! The page you're redirected to contains some mandatory information to complete the setup. Keep the integration key, secret key, and API hostname handy.

  5. Access your LastPass vault via the extension installed earlier, and navigate to the "Multifactor Options" tab in Account Settings. Scroll down to Duo and click the Edit button.

  6. Now it's time to copy the information to link Duo to LastPass. Set "Enabled" to Yes, "Permit Offline Access" to Allow, and "Use Duo Web SDK when possible" to No. Also copy the fields mentioned in #4 from the LastPass application in Duo.

  7. When you hit Update, you'll be prompted to re-enter your LastPass master password that you created earlier. Then you'll be prompted to enroll your smartphone with Duo. To do so, you will need to install Duo Mobile from your device's trusted app store (Play on Android, App Store on iOS). This allows you to use out-of-band two factor authentication, delivered as a push notification.

  8. At the end of the device enrollment process, make sure to tick the box that says "Automatically send me a:" and select Duo Push. This will cause a push notification to be automatically sent to your phone via Duo Mobile when you log into your password manager.

  9. The push notification will have an approve and deny button, allowing you to selectively choose which requests are allowed to authenticate to the password manager. This means that any attacker attempting to access your password manager with stolen credentials, will need to also compromise your smartphone as well. You'll also be notified of this activity because you'll receive a push you did not intend for, allowing you to deny the authentication as fraudulent and thwart the attacker.

  10. You'll know this all worked out properly if Duo is marked as "Enabled" on the multifactor page in LastPass.

  11. Congratulations! Now you can be certain only you are able to access your LastPass vault stored in the cloud. You can verify that it is all working by logging out of LastPass and back into it. Your phone should receive a push notification to complete secondary authentication. For the scenario where you don't have access to phone service, you can use the code generated by the Duo Mobile app as a fallback instead.

Remember, don't lose your LastPass master password!

Ingrain this into your brain so you'll never forget it. If you absolutely need to, keep it written down and stored in a locked place (ideally a safe). If you're having any troubles getting this set up, please leave a comment with your issue and I'll help you resolve it. Thanks for reading!

#steem #steem-help #newcomers #account-security #duo #security #2FA #lastpass #password #phishing #attack

H2
H3
H4
3 columns
2 columns
1 column
39 Comments