product icon

What are the system requirements for LastPass Workstation MFA?

    Workstation MFA is a feature that allows LastPass admins to protect their users' workstations with a second layer of security. Once set up, users can log in to their workstations using their Windows or Mac account password, then they can authenticate using the LastPass Authenticator app (or YubiKey via the LastPass Authenticator app) on their mobile device for verification.

    In order to set up LastPass Workstation MFA, the system and account requirements below must be met.

    Restriction: Workstation MFA cannot be used simultaneously with federated login (as federated login only supports multifactor authentication at the identity provider level, and Workstation MFA requires multifactor authentication at the LastPass level).
    Attention: It is recommended to set up a Windows or Mac test environment and uncheck the Prevent login when offline setting (which enables offline mode access for workstations) when configuring the installer package. Once you have successfully deployed and used Workstation MFA on a test environment, you can configure and deploy to a production environment.

    Windows

    For LastPass admins:
    • An active LastPass Business + Advanced MFA add-on trial or paid account with end users synced to the LastPass AD Connector, which is an on-premise active directory sync tool
      Important: End users can be created and managed using another service provider, however, LastPass admins must sync users with the on-premise LastPass AD Connector in order to use Workstation MFA.
    For end users:
    • A machine running Windows 10 or later
    • A server running any of the following with .NET Framework 4.7.2 installed:
      • Windows Server 2012 R2
      • Windows Server 2016
      • Windows Server 2019
    • An internet connection with 1 Mbps or better (broadband recommended)
      Note: ICMP is a required protocol used by LastPass to ping lastpass.com to verify end-to-end connectivity. Additionally, communication with lastpass.com is through HTTPS using port 443 withTLS 1.2.
    • An active LastPass Business + Advanced MFA add-on trial or paid user account that has enabled and enrolled the LastPass Authenticator app for multifactor authentication to protect their vault (instructions here)
      Tip: LastPass admins can enable the "Require use of LastPass MFA" general policy to prompt users to set up and enroll the LastPass Authenticator app the next time they log in to their LastPass vault (instructions here).

    Mac

    For LastPass admins:
    • An active LastPass Business + Advanced MFA add-on trial or paid account with end users synced to the LastPass AD Connector, which is an on-premise active directory sync tool
      Important: End users can be created and managed using another service provider, however, LastPass admins must sync users with the on-premise LastPass AD Connector in order to use Workstation MFA.

    For end users:

    • A Mac running either of the following macOS versions with a 64-bit processor required:
      • macOS Big Sur (11.2)
      • macOS Monterey (12)
    • An internet connection with 1 Mbps or better (broadband recommended)
      Note: ICMP is a required protocol used by LastPass to ping lastpass.com to verify end-to-end connectivity. Additionally, communication with lastpass.com is through HTTPS using port 443 withTLS 1.2.
    • An active LastPass Business + Advanced MFA add-on trial or paid user account that has enabled and enrolled the LastPass Authenticator app for multifactor authentication to protect their vault (instructions here)
      Tip: LastPass admins can enable the "Require use of LastPass MFA" general policy to prompt users to set up and enroll the LastPass Authenticator app the next time they log in to LastPass (instructions here).