The Ins and Outs of LastPass’ Sesame
What I learned about the LastPass Sesame Program
I’m a LastPass newbie, and I recently started using Sesame on my LastPass account. I just thought I’d share what I learned about Sesame in case it might help anyone else. All of this information is (sort of) available on the LastPass website, but it is spread out. I never came across any document that explained it all clearly in a way a normal human can understand. As a newbie, I had to find all the pieces of the puzzle and put them together myself through studying, testing, and asking questions. Anyway, here it is.
Sesame provides 2-factor authentication protection for your LastPass account. As people have explained it to me, 2-factor means that for anyone to log in to your LastPass account (even you) they must KNOW something and they must HAVE something. Those are the 2 factors. They must KNOW your master password. And they must HAVE (physically possess) the USB drive containing the Sesame program (which you’ve activated and linked to your account). They can’t have any old copy of Sesame. They must have your specific copy, stored on your flash drive, which is safely tucked away in your wallet or pocket or knapsack or whatever safe and convenient place you’ve come up with.
The basic idea is that when you log in to your LastPass account with your username and master password, you will then be prompted to input a special one-time password that only your copy of Sesame can produce. You insert your Sesame flash drive or key into a USB slot on your computer and run the program to produce the password. If you don’t do this, you can’t get into your LastPass vault. And no one else can either.
You might argue that this isn’t true 2-factor protection because Sesame produces a password. Isn’t this just another thing that you have to KNOW? Couldn’t a thief know your master password AND your Sesame password? The answer is “No” because Sesame produces a brand new, unique password each time you run it. And this password can only be used once. Then it is gone forever. The thief has to have YOUR Sesame drive in his hot little hand in order to get in.
I’ve personally come to like Sesame very much. I prefer it over other 2-factor methods. (Though I imagine that the Yubikey would be even better. I just haven’t had a chance to purchase or try out a Yubikey as yet.) It’s important to note that Sesame is a premium feature of LastPass. You must be a premium customer and pay the $12-a-year fee in order to use Sesame on your account. This is a no-brainer for me. Anyone who balks at paying $1 a month for a program like LastPass must be very, very young. I remember the days when any computer program or service cost ten or a hundred times more than that. $1 a month seems like a bargain to me.
Sesame Works ONLY on Your Computer
One of the first issues I had with Sesame came with the realization that it works ONLY on your computer. Sesame does not work on mobile devices – Android or otherwise. This confused me for a long time because it appeared to be a fatal flaw in the 2-factor protection. If a thief KNOWS your master password, they don’t have to possess your Sesame key in order to get into your LastPass account. They can just do it through their smartphone and bypass Sesame altogether. When I realized this, I wondered, “What is the point of Sesame?” It seemed pointless and useless. 50% protection didn’t seem like any protection at all. It’s like having a massive lock on the front door of your house and no lock at all on your back door.
However, after days (and weeks) went by and I learned more about LastPass, I realized that it is possible (and probably necessary) to have multiple forms of 2-factor authentication enabled on your LastPass account. Therefore, you can have both Sesame AND the LastPass Authenticator app (or another authenticator app) enabled at the same time. Only one of them kicks in when you try to log in to your LastPass account. LastPass has a standard list that it follows. It first looks for Yubikey. If Yubikey isn’t enabled, it looks for Sesame. If Sesame isn’t enabled (or isn’t available, such as on your smartphone), it looks for an authenticator app. The end result is that in order to have true 2-factor protection on your computer AND your smartphone with Sesame, you have to have a second multifactor option enabled. Having just Sesame will not protect your LastPass account from smartphone access.
You can also override the LastPass preferences by setting your own default multifactor method. This is done on the “Multifactor Options” tab of your “Account Settings”. When you open the “Multifactor Options” tab, look down at the bottom, and you will see a box with a drop down menu labelled “Choose Default.” If you have more than one multifactor option enabled, you can decide here which one LastPass will look for first. It will be your default. I have my system set up so that LastPass requires Sesame when I log into my account on my computer and LastPass Authenticator when I log on through my smartphone.
It’s important to note that LastPass offers other ways to protect your smartphone. I do not know how effective it is, but you can specify that YOUR mobile device is the only one in the entire world that can have access to your LastPass account. Access from any other mobile device will not be permitted. If this really works, then fantastic! The only risk to your account would then be the theft or loss of your mobile device. Even if a thief knew your master password, they could not access your account from their smartphone. Access would be denied automatically. They would have to physically possess YOUR smartphone to do it.
I also learned that Yubikey, unlike Sesame, DOES work on both your computer and your smartphone. To that extent, Yubikey is preferable because you only need the one multifactor option enabled. However, as far as I understand it, this only applies to the Yubikey NEO, which has NFC capability in addition to the USB connector. And, of course, your smartphone would have to have NFC capability to work. However, despite being limited to only your computer, Sesame does have some advantages over Yubikey.
Making Multiple Copies of Sesame
One advantage to Sesame is that the program can easily be copied. The Yubikey is a hardware device, and you can’t make copies of it yourself willy-nilly. Sesame is a piece of software. When you download it from the LastPass downloads page, you end up with a sesame.exe file. You can store or move that file anywhere you like. You have to activate Sesame before you can use it, and this is done simply by double clicking on the sesame.exe file and going through the setup process. (More about this later.) When that is completed, you will have a BIN file in addition to the Sesame.exe file. This lpsesame.BIN file contains all the information that makes this copy of Sesame unique to you and your LastPass account.
To create your first Sesame flash drive, you simply copy both the sesame.exe file and the lpsesame.BIN file to the flash drive. That’s it. You’re done. To use Sesame, you simply insert the flash drive into a USB port on your computer, navigate to the sesame.exe file, and double-click on it. This will launch the program. It’s possible to have as many Sesame drives as you wish. You could copy the sesame.exe file and the BIN file to two separate flash drives and keep one at home and one at the office. You could make three or four or as many as you like. Of course, the more you create, the greater the chances become of losing one or having one stolen, which reduces your security level. But if you do lose a Sesame drive, you have the option of disabling it. When you do this, you aren’t disabling the specific flash drive. You are disabling the software – the connection between the software and your LastPass account, so it has the effect of disabling ALL of the flash drives at once. It took me a long time to figure that out. Once it is disabled, you can go back and enable Sesame again and create brand new Sesame flash drives. Obviously, you can re-use the physical flash drives themselves. Just delete the old Sesame.exe file and the old BIN file and copy the new ones you’ve created.
Where and How to Store Sesame? Only On USB Drives?
I had some other questions about Sesame that the LastPass website did not answer, so I did my own testing. And I learned that the sesame.exe file does NOT have to be at the root of the drive. You can put it inside a folder and even nest that folder inside another folder. It makes no difference. It will run no matter where it is placed on the flash drive. You can also have other files and documents on that flash drive. The USB flash drive does not have to be dedicated solely to Sesame. You can do whatever you want with that flash drive: copy and transfer files, store other programs, run movies from it, store pictures, whatever. You just put a copy of the Sesame program and the BIN file on that drive and it will run no matter what else is present on the drive.
You can also put Sesame on a hardware-encrypted, password-protected flash drive. I tested this with a Kingston Datatraveler Locker+ G3 and it worked fine. It’s probably overkill, but by doing so you now have another layer of security protecting your LastPass account. Even if a thief stole your Kingston Datatraveler Locker+ G3 flash drive with your copy of Sesame on it, it would be useless to him. He wouldn’t be able to even open the flash drive without the password. And after 10 failed password attempts, the drive shuts down and wipes itself clean of all data. I also tested Sesame with the SanDisk SecureAccess program (included on most or all of SanDisk flash drives), and that did NOT work. The SanDisk SecureAccess program appeared to corrupt the BIN file when it encrypted it. The hardware encryption of the Kingston drive did not have this effect, and Sesame worked fine there.
I tested other memory devices, and I found that Sesame works just fine on a portable hard drive as well. I wasn’t able to test an SSD portable drive, but I don’t see any reason why that would be different from using a regular drive with a spinning disk. I also tested Sesame on an SD card, and it worked fine. This is an interesting option because a slim SD card would fit nicely into a wallet and be easy to carry around. The SD card can be inserted into a card slot on your computer or used with a memory card reader. Sesame seems to work fine in both cases. I even copied Sesame to the internal memory of an old MP3 player, and it worked fine from there, too. This all makes sense because Sesame launches in Windows, and it’s irrelevant where the program is stored. So even though the LastPass documentation talks only about USB flash drives, you can use any memory device you choose. As I pointed out, you can even have it installed right on your computer for more convenient access.
For some people, having to run Sesame every time they want to access their LastPass vault can be tiresome. However, every time you are prompted to run Sesame, you have the option of “trusting” that computer for 30 days when you enter the password. Simply tick the box at the bottom left, and you won’t have to run Sesame again for a full month. Obviously, you would only do this on a computer that only you have access to and that you trust is secure. You can see what devices you have “trusted” by going to your “Account Settings” and selecting the “Trusted Devices” tab.
Using Sesame and the Main Sesame Interface
As far as actually using Sesame goes, there are two basic options. When you open Sesame (by double-clicking on the sesame.exe file), the Sesame main window will appear. At the bottom of this window, you will see two radio buttons. One reads “Launch Browser” and the other reads “Copy to Clipboard.” The “Launch Browser” option is selected by default, and I have not found a way of changing that. If you wish to use the “Copy to Clipboard” process, you have to select it via the radio button every single time you run Sesame. There is a settings menu, but it is greyed out for me. I assume those settings only apply to Enterprise accounts or other more advanced situations. For a regular account, the settings menu does not open.
The “Launch Browser” option is the default because technically it is the easier option and requires less work from you. If you leave “Launch Browser” selected and then click on the main “Generate One Time Password” button, Sesame will do all the work for you in the background. You won’t even see it. It will open your default browser (assuming it isn’t already open), launch LastPass, insert the Sesame one-time password, and then prompt you for your master password. It may not look like it, but the Sesame password WAS generated and inserted and accepted, but this was all done automatically. You just didn’t see it happen. So with the “Launch Browser” option, all you have to do is enter your master password and you’re in, just like always.
The other option is the “Copy to Clipboard” option. When you select this radio button and then click on the “Generate One Time Password” button, Sesame does something completely different. All it does is generate a password and store it in your computer’s clipboard memory. And that’s it. Everything else is up to you and under your control. You have to open your browser. You have to launch LastPass. You have to enter your master password. And THEN you have to copy (Ctrl-v) the Sesame password from clipboard memory when prompted.
To break it down, the Launch Browser option has only four steps:
1. Launch Sesame.
2. Click “Generate One Time Password”.
3. Enter master password.
4. Click the Log In button.
Now your default browser is open (whether Chrome or Firefox), and you are in your LastPass vault.
The Copy to Clipboard option has ten steps:
1. Open browser.
2. Launch LastPass.
3. Enter master password.
4. Click “Log In”
5. Launch Sesame.
6. Select “Copy to Clipboard” radio button.
7. Click “Generate One Time Password.”
8. Click OK when it completes.
9. Copy password from clipboard into Sesame authentication window.
10. Click on the “Authenticate” button.
Being a newbie, I am more comfortable with the longer “Copy to Clipboard” option. Right now I prefer to have things under my control and go through the steps manually just so I master it all before I start to automate things.
There is also an option in Sesame to “Copy Offline Password.” This is the main alternative to the normal “Generate One Time Password” process. You would select this when you have no Internet access and still require a Sesame password. This is used, for example, when you use LastPass Pocket. I noticed that LastPass Pocket will prompt you for this offline password, so you don’t have to worry about remembering this requirement too much.
That’s about it for the basics of USING Sesame. It’s fairly simple and I haven’t had any problems with it at all. I prefer it over using LastPass Authenticator because it does not depend on my smartphone and just feels faster and easier and more reliable overall. I like it a lot. But, of course, I still use the authenticator app on my smartphone since Sesame does not work there.
Setting Up and Enabling Sesame on Your LastPass Account
The setup process for Sesame, however, is NOT all flowers and rainbows and happy thoughts (at least based on my experience). As a newbie, I was VERY confused when I tried to use Sesame for the first time. And the LastPass documentation that I could find did not help much. The problem is that when you activate Sesame for the first time, you are not presented with an activation process or anything like it. Instead, you are presented with a window that says “Add User” plus a place to insert this new user’s name and master password. This made no sense to me at all. I wanted to “turn on” Sesame. I didn’t want to add a user. And what was I adding a new user to? To my LastPass account?
Worse, underneath the place where you add the new user’s credentials, there is a “log-in” button for LastPass. Yet, I was already logged in! So I was very confused. I went around and around in circles for a long time. My goal was to activate, enable, or otherwise turn on Sesame. But when I tried to do that, I was led down this “Add User” process. It made no sense at all. I got no help from the online HelpDesk documents and FAQs.
After a long, long frustrating period of time, I came to the conclusion that installing Sesame and setting it up was the same thing as “Add User.” This is extremely poor UI and design on the part of LastPass, but there it is. I believe this confusion is related in some way to more advanced uses of LastPass, such as LastPass Enterprise where many different people use the same copy of Sesame to access the same LastPass vault. As such, Sesame can have multiple users, and somehow the activation process is tied in with that. It’s so connected that when you go to set it up for the first time, the setup process is identical to adding a new user and uses the same terminology. However, LastPass doesn’t explain this anywhere, and I was completely flummoxed.
I eventually just bit the bullet and went through the Add User process by logging in with my username and master password. There were no other options to move forward. When I did this, LastPass sent me an activation email. However, the email continued the confusion. It said this:
“You recently attempted to add ‘MY USERNAME’ to LastPass Sesame to increase the security of your LastPass vault.
“To complete your request, please click on the following link:”
Note that this says nothing about activating Sesame or turning it on. It says that I’m adding a new user to Sesame. Yet, as far as I knew, I didn’t have Sesame up and running yet! How can I be adding a user to something that wasn’t even installed? It was very confusing. I had no choice but to just click on the link and see what happened. I could only hope that, senseless as it was, the “Add User” process was the same thing as “Activating” Sesame.
After I clicked on the “Add User” link, I ended up with that new file – the lpsesame.BIN file. And I believe it also changed the Sesame listing in the “Multifactor Options” tab in “Account Settings.” It changed it from “disabled” to “enabled” automatically, but I didn’t know that at the time. In fact, you don’t control Sesame at all from the Account Settings area of your vault. When you click on the “edit” pencil for Sesame, you get a message that reads, “All configuration of Sesame is done within the Sesame application.” I think a lot of newbies (like myself) try first to enable Sesame from the Multifactor Options tab. It makes sense that you need to go there to enable or disable it. But you don’t. That listing offers no controls. It just informs you of the status of the program.
So after clicking on the activation link in the email, I wasn’t sure what to do next. At this point, I had never seen the actual Sesame control window before, so when it eventually opened up, I thought I was still in the middle of the setup process. After all, as far as I knew, I was still adding a user. I had seen nothing about turning on Sesame yet. So when I saw the main Sesame window and I saw my username listed and below it an “Add” button, I thought this was the last step and I had to select my username and click the “Add” button and I’d be done.
But, of course, I was completely wrong. Clicking on the Add button just opened another LastPass login window to add yet another user. But I didn’t know this. I assumed this was a confirmation window, so I dutifully filled it in and hit enter. But now I was sent another LastPass “Add User” email with another activation link. I appeared to be stuck in an endless loop of adding users to Sesame and never being able to turn it on.
At some point (and I don’t even remember when) I was also presented with the Sesame configuration window. It opens automatically when you complete the setup. To this day, I have no idea where these configuration options are located and how to access them again. They only seem to appear during the setup process. And, unfortunately, the settings presented were just as mystifying to a newbie as the first part of the setup process was. These are the options it presents:
“LastPass one time password authentication is currently enabled. Would you like to leave it enabled?
__Yes, protect me against keyloggers and spyware!
———–Permit access to my LastPass vault from mobile devices?
———–Permit access to my LastPass vault when not connected to the Internet?
__No, disable Sesame.”
I’m not 100% sure I understand these options even now. I struggled for the longest time to figure out what keyloggers and spyware specifically had to do with activating multifactor authentication with Sesame. But I think it doesn’t matter at all. It’s not listing this keylogger and spyware protection as a separate feature to be selected or not. It’s just another way to refer to Sesame itself and what it does. This window is just asking you if you are [u][b]sure[/b][/u] that you want to have Sesame enabled. Yes or no? It’s a weird question when you think about it. You are in the middle of the process of enabling it, so I don’t know why in the final stage it gives the option to disable it. It’s strange wording. A more intuitive approach would just be to have a final “Activate Sesame” button with a “Cancel” button beside it. That is essentially what this entire window is saying. But it says it in a very strange way that is open to all kinds of misunderstandings and confusion.
But even if you figure out that you really should say “Yes” to protection from keyloggers and spyware, you are then presented with the equally mystifying option to allow access to your LastPass vault from mobile devices. I stared at that one for a very long time over a couple of days trying to fight my way through the logic. I needed the brain of Sherlock Holmes to reach a conclusion. It’s confusing, right? You have to realize that at this time, I was still under the impression that Sesame worked on smartphones, too. Why wouldn’t it? So what does this message mean? Obviously, I want access to my account on my smartphone. But why would I ever give permission to other mobile devices to do so? It made no sense to me. Of course I want to say “No”. But then am I denying my own mobile device access? Why is that even an option? I was totally bewildered.
Now, with much more experience, I get it. This option is related to what I pointed out earlier: Sesame protects only your computer. It does nothing on a smartphone. This configuration setting is acknowledging that weakness and giving you the option of denying ALL access to your account via mobile devices in order to plug the gap. This would give you 100% protection but only because you’ve essentially made LastPass a computer-only program with no access at all from any mobile device. If you keep access to your LastPass vault through mobile devices enabled, you now have only 50% protection via Sesame. And that’s okay, as long as you are aware of it, and you add another multifactor system that is effective on your smartphone. But there is nothing in this configuration window that comes close to making that clear. (At least not to a dummy like me.)
As for the option to allow access to your LastPass vault when you are not connected to the Internet, I still don’t truly understand that one at all. I haven’t gotten my head around how Internet access figures into LastPass. To have access without the Internet, then obviously the data in your vault must be stored locally on your computer in some encrypted format. And I’m sure there is all kinds of security voodoo magic going on here to protect you even though your data is sitting on your computer in some form. But I really don’t know what is going on here. I’m still just figuring out the basics of accessing my vault on my PC over the Internet in the regular fashion. Doing so without Internet access is currently beyond my paygrade.
End Stages and Newbie Panic
To be honest, by the time I reached this stage, I was ready to totally give up on Sesame. I was so frazzled that I deleted all my Sesame files and was going to forget about it. But, to my horror, when I next tried to log in to LastPass, I was asked to input a Sesame password! But as far as I was aware, I had never managed to set it up. But I guess I had. And who knew how many users I had added by accident in my add user loop? I was panic-stricken at this point. All I could do was click on the “I’ve Lost my Sesame Device” link and hope for the best. To my relief, I was able to disable however many copies of Sesame I had installed and go back to normal.
After that and after much more research, the light bulb finally went off. Things fell into place in my mind, and I can say with some certainty that setting up Sesame is not really that hard. You just have to understand it. The first trick is that from the point of view of LastPass and the program, setting up Sesame is exactly the same as adding a user. In fact, you activate it precisely BY adding the first user – yourself. That IS the activation process. So don’t be confused by that like I was. I was being way too logical in my thinking. In any event, here are the steps:
1. Download Sesame to your computer. (You can then copy the sesame.exe file to a flash drive or leave it where it is. It doesn’t matter at this point.)
2. Double click on the sesame.exe file.
3. Ignore that it says “Add User” on the window that opens up. Just input your username and master password and click on the “Log In” button at the bottom.
4. You’ll get a message telling you that LastPass sent an email to your email account. (Ignore that it says you are authorizing the addition of a new user.)
5. Open that email and click on the link.
6. Go back to Sesame and click “OK” on the box there. Then, if everything has gone well, the window with the configuration options will pop up. Make your selections and hit OK and you’re done.
Note that in a strange twist, at no point does the initial “Add User” window containing your login credentials and master password ever close. It just stays open the entire time. Even when you close Sesame, this window stays open with your credentials in clear view. You have to physically close this log-in window yourself. This seems like an odd oversight for an Internet security company. I was a bit freaked out by this. I assumed that if the window needed to close, the setup program would do it. If it was still open, I figured there had to be a reason and that the setup process needed that window. I was worried that if I closed it, I would screw something up. But eventually, I had no choice but to just close it myself. And nothing bad happened.
Also note that even though you are the sole user of Sesame and of your LastPass account, there is always a multiple user box on the main Sesame interface window. Your username is listed in that window and there is a button beneath it to Add more users or edit them. Don’t worry about that box. I learned that you can safely ignore this user window and leave it alone. It has no purpose for you other than confusing you and cluttering up the Sesame interface. Unless you have a reason to add multiple users to Sesame, you can just pretend that user window doesn’t exist.
By the way, the one-time passwords that Sesame produces are exactly 630 characters long (at least that’s true for my copy of Sesame). I didn’t notice this, but a friend of mine pointed out that it uses only the six letters from A to F, all in lowercase plus numbers. Somehow, I was expecting the whole kitchen sink of options: the full alphabet in upper case and lower case, numbers, and special characters. But I guess when the password is 630 characters long and is used only one time, this is more than sufficient.
Conclusion of a Sort
And I think that is about it for Sesame. It’s a great little program once you jump through the hoops, and I wish I could use it for all of my online accounts now that I understand it better. It’s a lot friendlier and less daunting than an authenticator app and push notifications and all that crazy stuff. I think the interface, the setup procedures, and the online documentation are all due for an overhaul and an update. But Sesame as a program in terms of how it functions is very solid, and I have no complaints there.
Good luck with your own Sesame and LastPass adventures! 😉Share this post on the following sites: