product icon

How do I create a time-based one-time passcode (TOTP) for site entries as a LastPass business account user?

    If you have a LastPass Teams or LastPass Business account, you can create a time-based one-time passcode (TOTP) from your vault and use it for authentication when logging in to a third-party app or website.

    Tip: You can share this temporary code with others who also access the same site (using the same site credentials) where Two-Factor Authentication/Two-Step Verification is required.

    Terminology

    Time-based one-time passcode/TOTP/Two-Factor Code
    These terms all refer to the same value – a code that is generated for you and created as a means of verification or authentication.
    Two-Factor Authentication/Two-Step Verification
    A security feature that asks you for more than just your username and password when you log into a website. It requires something you know (your password) and something you have (your phone).

    About TOTP codes for LastPass

    • At this time, TOTP codes generated from your vault can only be used when accessing LastPass from a desktop web browser (i.e., not supported when using the LastPass mobile apps)
    • TOTP codes generated from your vault can only be used for the specific third-party site paired with your site password entry in your vault (via the secret key)
    • TOTP codes will be generated automatically in the site's one-time passcode TOTP code field if the site is stored in your vault and has a secret key associated
    • TOTP codes generated from the LastPass Authenticator app mobile app are completely different from TOTP codes generated from your LastPass vault, and cannot be used interchangeably for authentication
    • LastPass generates 6-digit one-time passcodes using SHA-1 algorithm, and these codes are regenerated every 30 seconds
    • TOTP codes are only supported for site entries in your vault (i.e., not support for secure notes or items)
    • If your computer's clock is not synced with universal Internet time, it could cause the TOTP code to be invalid and you may encounter an error when entering it

    About policy restrictions

    The ability to perform these actions may be prohibited if the "Don't show TOTP in vault" policy is enabled by your LastPass admin for your LastPass Business account.

    Create a TOTP code in your vault

    About this task: To enter the secret key into your LastPass site entry and generate a TOTP code that can be shared, do the following:

      Generate a secret key from your third-party site.

      1. Log in to your account on the site for which you want to share access with others.
      2. Follow the site's instructions to set up Two-Factor Authentication within the site's security settings (outside of LastPass) and enable the site to use an authentication app (e.g., LastPass Authenticator).
      3. Most sites will provide a QR code to scan for setting up authentication. Instead, locate the option for manual setup, then copy the secret key (intended to be used for third-party services) and paste into a text editor.
        Remember: You will be using this value in later steps.

      Enter the secret key into LastPass.

      1. Log in to LastPass and access your vault by doing either of the following:
        • In your web browser toolbar, click the LastPass icon active LastPass icon and select Vault or Open My Vault.
        • Go to https://lastpass.com/?ac=1 and log in with your email address and master password.
      2. To activate a new secret key, you must add a new site password or editing an existing password entry:
        Action in LastPass Instructions
        Add a new site password
        1. Click .
        2. Select Password.
        3. Enter all of the information you want to store.
        Edit an existing site password
        1. Locate your desired site password entry.
        2. Click the Edit icon .
      3. Select Enter your secret key.
        Add password screen in vault
      4. Paste the secret key you copied in Step #3 above (copied from your third-party site's authentication settings) then click Activate.
        Attention: Only use the characters A-Z, 2-7, = when entering the secret key, and do not include any spaces.
        Secret key screen

        Result: LastPass generates a 6-digit one-time passcode (using the SHA-1 algorithm and changing every 30 seconds).

      5. In the One-time passcode field, click to view the TOTP code, then copy the code.
        Two-Factor Code generated by LastPass
        Note: The TOTP code automatically populates in the site's "one-time passcode" field if the site is stored in your vault and has a secret key associated. If the generated code expires before it has been submitted on the site (expires every 30 seconds), then the new TOTP code is automatically generated and filled into site's "one-time passcode" field.
        Tip: When you need a new TOTP code, click to hide the current code, then click again to show the new one (new codes generate every 30 seconds).
      6. Return to your desired site's settings and paste the code for verification, then save and proceed.
    Results: You have now paired your desired site entry in your vault with LastPass and a new TOTP code for your site is displayed (which will change every 30 seconds).
    What to do next: If desired, you can share this site entry with others who also need to use the same site credentials.

    Use a TOTP code from your vault

    Once you have paired your site with LastPass via the secret key, you can copy a TOTP code from your vault and use it to log in to your site when you're prompted for Two-Factor Authentication.

      Copy a TOTP code from your LastPass vault.

      1. Within your vault, locate your desired site password entry then select to edit it.
      2. Copy the TOTP code in the One-time passcode field.

      Use the TOTP code to log in to your site.

      1. Navigate to your site and proceed to log in.
      2. When prompted for authentication, enter the TOTP code you copied from the One-time passcode field.
        Note: The TOTP code automatically populates in the site's "one-time passcode" field if the site is stored in your vault and has a secret key associated. If the generated code expires before it has been submitted on the site (expires every 30 seconds), then the new TOTP code is automatically generated and filled into site's "one-time passcode" field.
        Troubleshooting: If the code you entered is invalid, return to your vault entry and click to hide the current code, then click again to show the new one (new codes generate every 30 seconds).
    Results: You are now signed in to your desired site using a TOTP code generated by your LastPass vault.