product icon

Add a custom authentication policy in the new Admin Console

    As a LastPass admin, you can set up preferred authentication methods, enable or disable offline mode and/or geofencing, set up account recovery options, and more.

    Restriction: This feature might not be available for your account as this is a legacy feature.
    Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?
    About this task:

    Admins have the option to turn off an authentication method or enable multiple methods and allow users to choose their primary authentication method.

    1. Log in with your email address and master password to access the new Admin Console at
    2. If prompted, complete steps for multifactor authentication (if it is enabled for your account).
    3. Go to Policies > Passwordless > Authentication & recovery.
    4. Follow the applicable instructions:
      Action in LastPass Instructions
      Set up account-wide default authentication methods To set up account-wide default authentication methods, you can configure the settings directly on the Authentication and Recovery policy page, which automatically assigns the default policy to all users and groups in your organization.
      Add a custom authentication policy
      1. Click Add Custom Authentication Policy > New Policy.
      2. Create a policy name, then configure the policy with your desired settings (listed below).
      3. Click Save.
      4. To assign users and groups to your customer policy, click the names of the ones you want to add under their respective tabs. The users and groups that will be added to your policy will appear under the Selected tab.
      5. Click Save.
      Below are the list of configuration options for your custom policy:
      iOS or Android Authorized Authentication Methods
      Enable or disable preferred biometric authentication options (fingerprint, face recognition, pattern), and/or allow users to change the order in which they are presented. To automatically set the same policies for both iOS and Android, check the box in the upper-right navigation for The same as iOS policies setting.
      Note: Authorized authentication methods can be different based on users' devices (iOS and Android)
      iOS or Android Secondary Authentication
      If users fail to authenticate, you can select one of the following secondary authentication options that are served to the user:
      • Allow any authorized method
      • Allow all but first authorized method
      • Disable secondary authentication
      iOS or Android Step-up Authentication
      If websites or apps are protected by requiring use of authenticating using the LastPass Authenticator app, choose from either of the following options:
      • Allow any authorized method (referring to iOS or Android Authorized Authentication Methods, listed above)
      • Allow all but the first authorized method
      iOS or Android Complementary Authentication
      If desired, select one or more of the biometric options presented.
      iOS or Android Authentication Limitations
      Set the maximum number of failed authentication attempts before a lockout, and/or the lockout time period after reaching the maximum number set.
      iOS or Android Allow Offline Mode for LastPass MFA ( passwordless login)
      Enable or disable Offline Mode, which is the ability for users to access SSO apps when their mobile device is offline and unable to receive push notifications. This feature allows use of a one-time passcode in the LastPass Authenticator app to authenticate.
      iOS or Android Prohibit Offline Mode when Geofencing is Enabled
      If a geofencing policy is enforced, you can enable or disable the ability for users to access their LastPass vault or SSO apps in Offline Mode (because their location cannot be determined when offline).
      Recovery Contact
      You can add contact information (name, email address, or phone number) so that users know who to reach if they encounter issues logging in to their LastPass vault or SSO apps.
      Note: This is an account-wide policy setting and is not available to configure for custom policies.
      Recovery by Email
      If a user must be sent a recovery email, select from the following options as to where it should be sent:
      • Primary email
      • Secondary email
      • Both primary and secondary email
      Note: This is an account-wide policy setting and is not available to configure for custom policies.