LastPass Admin Toolkit: LastPass MFA apps

LastPass admins can set up MFA apps in the new Admin Console to protect their endpoints with multifactor authentication via the LastPass Authenticator app, including third-party identity providers (AD FS or Azure AD), workstations (Windows or macOS), and/or VPNs.

Note: This feature is available with the LastPass Business + Advanced MFA add-on. Learn more about plans & pricing.

LastPass Business + Advanced MFA add-on accounts are currently provided this capability with the following setups via MFA apps:

Microsoft Azure AD
Microsoft AD FS
Workstation MFA (for Windows or macOS)
Universal Proxy/VPN

Advanced MFA add-on Features Overview

Video Overview – Watch this video for a high-level overview of using multifactor authentication in LastPass.
What authentication is right for your business? – Dive into this webinar to learn the key differences between two-factor authentication and multifactor authentication.

Microsoft Azure AD

This MFA app allows LastPass Business admins to protect their users' logins via Microsoft Azure AD with a second layer of security. Once set up, users can log in to their Azure AD single sign-on apps, then an authentication prompt is sent to their mobile device via the LastPass Authenticator app for verification.

How do I configure my Azure AD account to use LastPass MFA for authentication? – View instructions for setting up your user accounts to use the LastPass Authenticator app for authentication whenever they log in to any Azure AD single sign-on app.

Microsoft AD FS

This MFA app allows LastPass Business admins to protect their users' logins via Microsoft AD FS with a second layer of security. Once set up, users can log in to relying party apps using their Microsoft AD FS account, then an authentication prompt is sent to their mobile device via the LastPass Authenticator app for verification.

How do I set up LastPass MFA for Microsoft AD FS? – View instructions for setting up your user accounts to use the LastPass Authenticator app for authentication whenever they log in to relying party applications by entering their Microsoft AD FS account credentials.
How do I download and configure LastPass MFA for Microsoft AD FS? – As a LastPass admin, get the integration key and integration secret, then download the AD FS adapter and configure it with your designated integration key and integration secret.
How do I sign in to my Windows account using LastPass MFA for Microsoft AD FS? – As a user, once the integration with Microsoft AD FS has been set up, your users can sign in to your relying party applications by entering their AD credentials then authenticating using the LastPass Authenticator app.
How do I uninstall LastPass MFA for Microsoft AD FS? – To uninstall, you must first disable multifactor authentication in AD FS, unregister it with a PowerShell script, then uninstall from Windows.

Workstation MFA

This MFA app allows LastPass Business admins to protect their users' workstations with a second layer of security. Once set up, users can log in to their workstations using their Windows or macOS account password, then an authentication prompt is sent to their mobile device via the LastPass Authenticator app for verification.

What are the system requirements for LastPass Workstation MFA? – Review the details about the system requirements for Windows and/or macOS in order to set up Workstation MFA.
What are the differences between Workstation Login and Workstation MFA in LastPass Business? – Follow this article to get a better understanding between the key differences.
Set up LastPass Workstation MFA for Windows – View step-by-step instructions for setting up LastPass Workstation MFA for Windows.
How do I hide all other Windows credential providers except for LastPass Workstation MFA? - As a LastPass admin, you can exclude other credential providers from the Windows logon screen so that Workstation MFA is the only available sign-in method for your users.
How do I sign in to my Windows workstation using LastPass Workstation MFA? – View instructions for signing in to you Windows workstation as a user.
How do I uninstall Workstation MFA for Windows? - You can uninstall Workstation MFA locally as a troubleshooting measure or if you no longer need it on your machine.
Set up LastPass Workstation MFA for Mac – View step-by-step instructions for setting up LastPass Workstation MFA for Mac.
How do I sign in to my Mac workstation using LastPass Workstation MFA? – View instructions for signing in to you Mac workstation as a user.

LastPass Universal Proxy (VPN)

This MFA app is an on-premises software that allows LastPass Business admins to protect their users' logins to their network (e.g., a VPN server) with a second layer of security, which then authenticates against their primary authenticator (e.g., LDAP or RADIUS server) and/or the LastPass Server using LDAP, LDAPS, or RADIUS protocol. Once set up, users can log in to legacy apps and/or VPNs, then an authentication prompt is sent to their mobile device via the LastPass Authenticator app for verification.

What is LastPass Universal Proxy? – Learn all about what the LastPass Universal Proxy is and how it is used.
Set up LastPass Universal Proxy v5.x – View step-by-step instructions for adding Universal Proxy v5.x.
Set up LastPass Universal Proxy v4.x – View step-by-step instructions for adding Universal Proxy v4.x.
Configure LastPass Universal Proxy v5.x - View configuration steps.
Configure LastPass Universal Proxy 4.x using command line interface (CLI) on Windows – View configuration steps via the command line.
Configure LastPass Universal Proxy 4.x with the server.properties configuration file without using the CLI tool on Windows – View configuration steps without using the command line.

Multifactor Policies

LastPass allows you to reduce risks by enforcing policies and controls. These policies are available in the new Admin Console under Policies →Multifactor.

Require extra authentication for LastPass Authenticator - Prompt LastPass Authenticator users for biometric or PIN authentication before they can allow or deny a login request.
Restrict LastPass Authenticator usage by location - Add a layer of security for your users by restricting login from untrusted locations, based on device GPS location. The value must be a trusted location, expressed in decimal degrees (latitude, longitude, radius). Anyone outside the trusted location will be denied login through LastPass Authenticator.
Override default MFA methods - Set the MFA methods that users can choose as their primary method for confirming their identity when logging in to LastPass. For more information, see Admin policies.
Restrict access by IP address - Only allow users to access their LastPass accounts when logging in from designated IP addresses.
Restrict access by country - Restrict the countries from which users are permitted to log in to LastPass.