HELP FILE

LastPass Admin Toolkit: LastPass MFA apps

LastPass Admin Toolkit: LastPass MFA apps

    LastPass admins can set up MFA apps in the new Admin Console to protect their endpoints with multifactor authentication via the LastPass Authenticator app, including third-party identity providers (AD FS or Azure AD), workstations (Windows or macOS), and/or VPNs.

    Note: This feature is available with the LastPass Business + Advanced MFA add-on. Learn more about plans & pricing.
    LastPass Business + Advanced MFA add-on accounts are currently provided this capability with the following setups via MFA apps:

    Advanced MFA add-on Features Overview

    Microsoft Azure AD

    This MFA app allows LastPass Business admins to protect their users' logins via Microsoft Azure AD with a second layer of security. Once set up, users can log in to their Azure AD single sign-on apps, then an authentication prompt is sent to their mobile device via the LastPass Authenticator app for verification.

    Microsoft AD FS

    This MFA app allows LastPass Business admins to protect their users' logins via Microsoft AD FS with a second layer of security. Once set up, users can log in to relying party apps using their Microsoft AD FS account, then an authentication prompt is sent to their mobile device via the LastPass Authenticator app for verification.

    Workstation MFA

    This MFA app allows LastPass Business admins to protect their users' workstations with a second layer of security. Once set up, users can log in to their workstations using their Windows or macOS account password, then an authentication prompt is sent to their mobile device via the LastPass Authenticator app for verification.

    LastPass Universal Proxy (VPN)

    This MFA app is an on-premises software that allows LastPass Business admins to protect their users' logins to their network (e.g., a VPN server) with a second layer of security, which then authenticates against their primary authenticator (e.g., LDAP or RADIUS server) and/or the LastPass Server using LDAP, LDAPS, or RADIUS protocol. Once set up, users can log in to legacy apps and/or VPNs, then an authentication prompt is sent to their mobile device via the LastPass Authenticator app for verification.

    Multifactor Policies

    LastPass allows you to reduce risks by enforcing policies and controls. These policies are available in the new Admin Console under Policies →Multifactor.

    • Require extra authentication for LastPass Authenticator - Prompt LastPass Authenticator users for biometric or PIN authentication before they can allow or deny a login request.
    • Restrict LastPass Authenticator usage by location - Add a layer of security for your users by restricting login from untrusted locations, based on device GPS location. The value must be a trusted location, expressed in decimal degrees (latitude, longitude, radius). Anyone outside the trusted location will be denied login through LastPass Authenticator.
    • Override default MFA methods - Set the MFA methods that users can choose as their primary method for confirming their identity when logging in to LastPass. For more information, see Admin policies.
    • Restrict access by IP address - Only allow users to access their LastPass accounts when logging in from designated IP addresses.
    • Restrict access by country - Restrict the countries from which users are permitted to log in to LastPass.