product icon

Authentication and Recovery Policies

    As a LastPass admin, you can set up preferred authentication methods, enforce the required use of the LastPass Authenticator app when accessing SSO apps, enable or disable offline mode when using the LastPass Authenticator app and/or geofencing, set up account recovery options, and much more.

    Restriction: This feature might not be available for your account as this is a legacy feature.
    About this task: Admins have the option to turn off an authentication method or enable multiple methods and allow users to choose their primary authentication method.
    1. Log in and access the Admin Console at!/dashboard.
    2. Select MFA or SSO & MFA in the left navigation.
    3. Go to Policy > Authentication in the left navigation.
    4. To set up account-wide default authentication methods and/or feature settings (listed below), you can configure the settings directly on the Authentication and Recovery policy page, which automatically assign the default policy to all users and groups in your organization.
    5. To create a custom authentication methods and/or feature settings for specific users and groups, do the following:
      1. Select Add Custom Authentication Policy > New Policy.
      2. Create a policy name, then configure the policy with your desired settings (listed below).
      3. Click Save.
      4. Select your desired users and/or groups to assign, then click Save.
    6. Next, set your default or custom policy by configuring any of the following options:
      • iOS or Android Authorized Authentication Methods – Enable or disable preferred biometric authentication options (fingerprint, face recognition, pattern), and/or allow users to change the order in which they are presented. To automatically set the same policies for both iOS and Android, check the box in the upper-right navigation for The same as iOS policies setting.
      Note: Authorized authentication methods can be different based on users' devices (iOS and Android).
      • iOS or Android Secondary Authentication – If users fail to authenticate, you can select one of the following secondary authentication options that are served to the user:
        • Allow any authorized method
        • Allow all but the first authorized method
        • Disable secondary authentication
      • iOS or Android Step-up Authentication – If websites or apps are protected by requiring use of authenticating using the LastPass Authenticator app, choose from either of the following options:
        • Allow any authorized method (referring to iOS or Android Authorized Authentication Methods, listed above)
        • Allow all but the first authorized method
      • iOS or Android Complementary Authentication – If desired, select one or more of the biometric options presented.
      • iOS or Android Authentication Limitations – Set the maximum number of failed authentication attempts before a lockout, and/or the lockout time period after reaching the maximum number set.
      • iOS or Android Allow Offline Mode for LastPass MFA – Enable or disable Offline Mode, which is the ability for users to access SSO apps when their mobile device is offline and unable to receive push notifications. This feature allows use of a one-time passcode in the LastPass Authenticator app to authenticate.
      • iOS or Android Prohibit Offline Mode when Geofencing is Enabled – If a geofencing policy is enforced, you can enable or disable the ability for users to access their LastPass vault or SSO apps in Offline Mode (because their location cannot be determined when offline).
      • Recovery Contact – You can add contact information (name, email address, or phone number) so that users know who to reach if they encounter issues logging in to their LastPass vault or SSO apps.
        Note: This is an account-wide policy setting and is not available to configure for custom policies.
      • Recovery by Email – If a user must be sent a recovery email, select from the following options as to where it should be sent:
        • Primary email
        • Secondary email
        • Both primary and secondary email
      Note: This is an account-wide policy setting and is not available to configure for custom policies.

      Result: You have now created account-wide or custom policies and assigned to the appropriate users and groups.