What are the best practices for using multifactor authentication in LastPass?
LastPass allows you to set up more than one multifactor authentication option so that when you access your vault, you can choose the option that is most convenient for you when you are prompted to authenticate.
General best practices
Setting up multifactor authentication for your LastPass account is the first step in the right direction when it comes to account security. Once set up, you will first log in to LastPass with your email address and master password, then be prompted for an additional method of authentication before you can access your vault. This additional step is a preventative measure used a means of thwarting keyloggers and other threats.
- Set up more than one multifactor authentication option. In your LastPass vault, you can set up multiple multifactor authentication options so that you have backup authentication methods always available to you. Learn how here.
- Set up more than one device with multifactor authentication. You can use multiple devices for which your multifactor authentication options are set up (e.g., tablet, iPad, an old device you plan to keep, a trusted partner or spouse's mobile device, etc.). Learn how here.
- Set up multifactor authentication options that do not require use of a mobile device to authenticate (as a backup). If you set up authentication options that don't require a mobile device, you will always have backup authentication methods in case you ever lose access to your device. LastPass supports the following non-device authentication options:
- Grid – This is a free option available within your LastPass vault that allows you to print (or store outside of LastPass) a sheet that is used to look up specific matching values and provide a code to match those values for authentication.
- YubiKey – This authentication option is a key-sized device that you can plug in to your computer's USB slot (or use with a mobile device's port or NFC scanner), in order to authenticate. This authentication option requires that you have a LastPass Premium (or above) account type, and is not available to LastPass Free users.
Best practices for LastPass business account admins
As a LastPass admin of a LastPass Teams or LastPass Business account, you can set up multifactor authentication for your organization of users, and manage various policies and settings that best suit your business needs.
- Select multifactor authentication options for your users. You can enable specific multifactor options for your users, or leave all multifactor options enabled by default. For more information, please see How do I manage multifactor authentication options for users in the new Admin Console?
- Set up and manage policies for multifactor options. You can configure and enforce various policies for your organization, including the requirement of users to authenticate before they can access their LastPass vault, restrictions on which authenticator(s) can be used, and much more. Learn how to configure policies for your LastPass Teams or Business account.
While there are several multifactor authentication options that LastPass supports, we strongly encourage the use of passwordless login via theLastPass Authenticator app app.
- Provides an added layer of security by using biometric and contextual factors of a user's device
- Allows admins to set up and configure policies that authorize specific device types and authentication methods
- Provides granular control over authentication (i.e., how often users can be prompted, setting max number of failed authentication attempts and/or lockout time)
- Allows management of Offline Mode allowance, or restriction when geofencing policies are enforced
- Allows admins to enforce the use of authentication with the LastPass Authenticator app when logging in to LastPass and/or SSO apps
- Grants the ability for admins to set up special recovery contacts for users to reach if they become locked out of their account
For more information about what you can do with the passwordless login, please see How do I add a custom authentication policy in the new Admin Console?