Passwordless Login in LastPass
What is passwordless login?
Passwordless login allows you to log in to LastPass (or a feature of LastPass) using the LastPass Authenticator app instead of entering your master password. You can authenticate via the LastPass Authenticator app using a push notification + stored biometrics (face or fingerprint), TOTP code, SMS passcode, or a phone call. You can leverage passwordless login when logging in to your LastPass vault, SSO apps, and/or workstations.
Additionally, passwordless login for mobile allows you to log in your LastPass vault via the LastPass app for iOS or Android using your device's stored biometrics (face or fingerprint) instead of manually entering your master password.
Learn more about the technology behind passwordless login in the LastPass Technical Whitepaper.
Limitations and compatibility
The following information only applies to passwordless login for vault (i.e., does not apply to SSO apps and/or workstations):
Desktop logins:
- You can use either the LastPass browser extension (requiring version 4.96 or later) or the login page of the LastPass website. Learn how to enable and use.
- Currently only the LastPass Authenticator app can be used for passwordless login from a desktop – Support for using desktop biometrics (Windows Hello or macOS Touch ID) and security keys (USB or mobile device) is coming soon!
- All multifactor authentication options must be disabled except for the LastPass Authenticator app.
Mobile logins:
- You will only use the LastPass app for iOS or Android + the supported biometrics of your mobile device – the LastPass Authenticator app is not involved. Learn how to enable and use on your mobile device.
Who can use passwordless login for vault?
Everyone! Passwordless login for vault is available for all account types. Passwordless login for your vault does not require activation steps in order to use.
- Users with personal accounts (Free, Premium, Families) can immediately enable passwordless login for their vault on a desktop or on mobile.
- Users with business accounts (Teams, Business) must have their LastPass admin enable the "Allow passwordless login" policy in order make the feature available. Once the policy is enabled, business users can enable passwordless login for their vault.
Restriction: LastPass Business accounts that have enabled federated login with a third-party identity provider cannot simultaneously enable passwordless login for the vault.
Who can use passwordless login for SSO apps and workstations?
- For SSO apps, LastPass Business admins will need to enable passwordless login for the SSO app. Once configured, users assigned to the SSO app will need to activate passwordless login, then they can sign in to their SSO app using passwordless login.
Remember: Passwordless login for SSO apps only supports authentication using stored biometrics (face or fingerprint) via push notification in the LastPass Authenticator app.
- For workstations, LastPass Business admins will need to set up passwordless login for their users' Windows or Mac workstations. Once set up, users will need to activate passwordless login, then they can log in to their Windows or Mac workstation using passwordless login.
How does passwordless login work?
Passwordless login allows you to sync the LastPass Authenticator app with your master password, so you can use any of the available authentication options in the LastPass Authenticator app (push notification + face or fingerprint, TOTP code, SMS passcode, or phone call) in place of entering your master password.
How is passwordless login used?
Once enabled, you can access your vault, SSO apps, and/or workstations from your desktop by leveraging any of the available authentication options in the LastPass Authenticator app instead of entering your master password. View the table below for additional details.
What if I can't use my device or I can't access the LastPass Authenticator app? Am I locked out?
No – your master password will always be available for you to use instead of using passwordless login via the LastPass Authenticator app.
I see an "account settings conflict" when trying to enable passwordless login for my vault, what should I do?
You will encounter this message if you already have another multifactor authentication option enabled to protect your vault.
- Disable all other multifactor options in your vault except for the LastPass Authenticator app.
Restriction: If you have a LastPass Business or LastPass Teams account, the ability to perform these actions may be limited or prohibited due to policies enabled by your LastPass admin. To proceed, contact your LastPass admin and reference the instructions for LastPass Business or LastPass Teams.
- Try to enable passwordless login for your vault again (which will enable the LastPass Authenticator app as your multifactor authentication option to protect your vault).
What are the feature differences for passwordless login?
There are key differences in how the passwordless login feature is used, as shown below.
| LastPass account type | Where you log in | Setup instructions for LastPass users | Login instructions for LastPass users | Setup instructions for LastPass admins |
|---|---|---|---|---|
| All account types | Your LastPass vault from a desktop |
|
Log in to your vault from your desktop using passwordless login (via the LastPass Authenticator app) – Support for using desktop biometrics and security keys is coming soon! |
|
| All account types | Your LastPass vault on a mobile device | Enable passwordless login for your vault on mobile (using the LastPass app) | Log in to your vault from mobile using passwordless login (via the LastPass app) | Enable the "Enable biometric login on mobile app policy |
| LastPass Business + Advanced MFA add-on | SSO apps & websites | Set up passwordless login for your users' SSO apps | Set up an SSO app and enable "Step-up authentication" | |
| LastPass Business + Advanced MFA add-on | Windows or Mac workstation | Set up passwordless login for your users' Windows or Mac workstations |
|
|