HELP FILE
Server mode default factors
When logging in to LastPass Universal Proxy 4.0, if the authentication mode is not provided by the user, default factors define the authentication process.
The following table contains the default factors for server modes:
| Server mode | LastPass MFA Authentication (LP) |
LastPass MFA or password authentication (PLP) |
Both LastPass MFA and password authentication (SFA) |
|---|---|---|---|
| Default factor enabled | push or call | NOT enabled | push, call, or totp |
- Starting from 4.0, LastPass Universal Proxy provides the following SFA factors:
- Push
- Call
- Time-based One-Time Password (TOTP) consisting of 6 digits
- The default factor in LastPass MFA Authentication (LP) mode can be overwritten if the user enters push/call in the password field.
- When using the LastPass MFA or password authentication (PLP) mode for the RADIUS PAP/LDAP/LDAPS protocol, you must enter the required factor, that is, push or call in the VPN client password field to opt-in to use the LastPass Authenticator app. If the password contains the *push or *call text, it will be considered a password.
- When using the Both LastPass MFA and password authentication (SFA) mode the RADIUS PAP/LDAP/LDAPS protocols, the username and the password is human-readable, and entering push/call as a password results in a failed login attempt. When using the RADIUS CHAP protocol with Both LastPass MFA and password authentication (SFA) mode, the password is non-human-readable, and push/call can be used as a password.
The following tables show a summary of the factor options, based on whether the server modes require authentication using the
LastPass Authenticator app or using a password (in the following tables
testpw is used as a password example).
| Value of the password field of the VPN client | LastPass MFA Authentication (LP) |
LastPass MFA or password authentication PLP |
Both LastPass MFA and password authentication (SFA) |
|---|---|---|---|
| Auth result | Auth result | Auth result | |
| testpw | Passwordless login with default factor | Password login with Radius/AD server | Password login with Radius/AD server & Passwordless login with CLS and default factor |
| testpw*push | Passwordless login with default factor | Password login with Radius/AD server | Password login with Radius/AD server & Passwordless login with CLS and PN |
| testpw*call | Passwordless login with default factor | Password login with Radius/AD server | Password login with Radius/AD server & Passwordless login with CLS and call |
| testpw*TOTP | Passwordless login with default factor | Password login with Radius/AD server | Password login with Radius/AD server & Passwordless login with CLS and TOTP |
| push | Passwordless login with push factor | Passwordless login with CLS and PN | Login attempt with Radius/AD with "push" password |
| call | Passwordless login with call | Passwordless login with CLS and call | Login attempt with Radius/AD with "call" password |
| TOTP (example: 114503 or 245728) | Passwordless login with default factor | Password login with Radius/AD server | Password login with Radius/AD server & Passwordless login with CLS and default factor |
| Password field of the VPN client | LastPass MFA Authentication (LP) |
LastPass MFA or password authentication PLP |
Both LastPass MFA and password authentication (SFA) |
|---|---|---|---|
| testpw | Passwordless login with default factor | Password login with Radius server | Password login with Radius server & Passwordless login with CLS and default factor |
| testpw*push | Passwordless login with default factor | Password login with Radius server | Password login with Radius server & Passwordless login with CLS and default factor |
| testpw*call | Passwordless login with default factor | Password login with Radius server | Password login with Radius server & Passwordless login with CLS and default factor |
| testpw*TOTP | Passwordless login with default factor | Password login with Radius server | Password login with Radius server & Passwordless login with CLS and default factor |
| push | Passwordless login with push factor | Passwordless login with CLS and PN | Password login with Radius server & Passwordless login with CLS and default factor |
| call | Passwordless login with call | Passwordless login with CLS and call | Password login with Radius server & Passwordless login with CLS and default factor |
| TOTP (example: 114503 or 245728) | Passwordless login with default factor | Password login with Radius server | Password login with Radius server & Passwordless login with CLS and default factor |