Skip to main content

LastPass and Two-Step Login (Duo)

This article applies to: Secure Password Management

If you choose to use Cornell's Enterprise LastPass service, we require that your account be secured with Duo, Cornell's two-step login service.

Faculty and staff also use Duo for access to other Cornell services, like Workday. (Some units require Duo for other services as well.)

The rest of this gets a bit complicated, but the bottom line is that you may find yourself logging in through Duo more often than previously.

Signing in is different

All of Cornell's services that allow or require two-step authentication start with you entering your credentials through CUWebLogin on a familiar, Cornell-branded "enter your NetID and Password" screen. You're then taken to the Duo authentication screen.

Those signing in with mobile devices may see only one authentication choice: entering a passcode. When using a browser on a computer or tablet, you should see all available login options.

But LastPass doesn't start with CUWebLogin, so it doesn't recognize that you have already been authenticated, and you'll see the Duo screen with the various choices (call me, enter a passcode, etc.). The LastPass Duo screen does not allow you to be "remembered" for 24 hours.

Signing out is different

Cornell's Duo configuration lets you tell Duo to remember your authentication for 24 hours. Your access is not cancelled when you quit your browser or if you shut down your computer.

LastPass's Duo has stricter requirements. You will be logged out of your LastPass account when you quit your browser or after 12 hours of inactivity. (Mobile lock expires after 24 hours.) The stricter rules for automatically logging you out means you may find yourself needing to log in more often.


These security arrangements are necessary for the protection of Cornell's electronic data. 

Was this page helpful?

Your feedback helps improve the site.