Integrate Duo Security with my LastPass Business account

LastPass Business supports Duo Security integration, which allows admins to configure policies and authentication methods when using Duo Security.

For more information about all Duo Security offers for LastPass, see the LastPass & Duo Security Overview.

Note: The steps outlined below must be performed by an admin of both the integration tool and LastPass Business.

Before you begin: Make sure you have the following in place:

Duo Security account
You can create a Duo account (be sure to select LastPass as your integration type during account creation)
LastPass Business account

Step #1: Set up the LastPass application in Duo Security

You can set Duo Security as a multifactor authentication option for your users, which they can then use as their second factor of authentication when logging in to LastPass. For this, you must first set up LastPass in Duo Security.

Log in to the Duo Admin Panel at https://admin.duosecurity.com.
Select Applications > Protect an Application in the left navigation.
Search for LastPass in the list, then select Protect this Application.
Under Details, copy the following values and save them to a text editor:
- Integration key
- Secret key (you must click to view)
- API hostname
If desired, you can also configure additional settings (e.g., Group policies, Username Normalization, etc.). Learn more about Duo Security Application Options.

Step #2: Set up the Duo Security integration in LastPass Business

In order to set Duo Security as a multifactor authentication option for your users, after having configured LastPass in Duo Security, you are required to set up Duo Security integration in LastPass Business itself.

Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
Go to Advanced > Enterprise Options > Multifactor options > Duo Security.
Enter Duo Security data (you captured in Step #4 in the previous section) into the following fields:
- Duo Security integration key
- Duo Security secret key
- Duo Security API hostname
Click Update to save your changes.

Step #3: Enable Duo Security as a multifactor option

Before your users can set up Duo Security at their end as an added layer of security to protect their LastPass account, you need to enable Duo Security as a multifactor authentication option in LastPass Business.

From within the Admin Console, go to Advanced > Enterprise Options > Multifactor options.
Under Enabled Multifactor Options, toggle on the switch for the Duo Security option.

Step #4: Add and configure Multifactor Authentication policies for Duo Security

You can refine the details of Duo Security integration by configuring a number of policies related to Duo Security specifically.

From within the Admin Console, go to Settings > Policies in the navigation pane.
Click Add Policy, then choose from the following policies:
- Under Multifactor, select Require use of Duo Security.
  1. To require Duo Security to be used X amount of days after the user account is created, enter a number in the Value field (optional).
  2. Select your desired user list for which this policy should be applied.
  3. Enter Notes for additional information about this policy (optional).
- Under Multifactor, select Require use of any multifactor option.
  1. Enter the Duo Security integration key, secret key, and API hostnames in the respective fields.
  2. Select your desired user list for which this policy should be applied.
  3. Enter Notes for additional information about this policy (optional).
- Under Multifactor, select Use username portion of email address as Duo Security username.
  1. Enter the Duo Security integration key, secret key, and API hostnames in the respective fields.
  2. Select your desired user list for which this policy should be applied.
  3. Enter Notes for additional information about this policy (optional).
- Under Multifactor, select Use Duo Web SDK when possible.
  1. Enter the Duo Security integration key, secret key, and API hostnames in the respective fields.
  2. Select your desired user list for which this policy should be applied.
  3. Enter Notes for additional information about this policy (optional).
Click Save when finished.

Step #5: Advise your users to set up Multifactor Authentication

Once you have completed the steps above, your users can set up and enable Multifactor Authentication for their LastPass Business account.

Important note about the removal of users enabled with Duo Security

Duo Security integration keys are associated with your LastPass Business account. If you remove users from your company account without first disabling Duo Security as their multifactor authentication option, those users may become locked out of their LastPass account (if it is converted to a LastPass Free account) once removed.

For this reason, we recommend disabling Duo Security for users you plan to remove, as follows:

Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
Select Users in the navigation pane.
Check the boxes next to your desired users.

Tip: To sort by users enabled with Duo Security, click the Multifactor column header row for the users table.
Select More actions > Disable multifactor for selected users.
Click OK to confirm.

Results: You have disabled Duo Security for your selected users, and you can now safely remove those users from your company account without risk of locking them out (if their accounts convert to LastPass Free accounts).