HELP FILE

How do I add a custom authentication policy in the new Admin Console?

As a LastPass admin, you can set up preferred authentication methods, enable or disable offline mode and/or geofencing, set up account recovery options, and more.

Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?

Admins have the option to turn off an authentication method or enable multiple methods and allow users to choose their primary authentication method.

  1. Log in with your email address and Master Password to access the new Admin Console at https://admin.lastpass.com.
  2. Go to Policies > Passwordless > Authentication & recovery.
  3. To do this Do this
    Set up account-wide default authentication methods To set up account-wide default authentication methods, you can configure the settings directly on the Authentication and Recovery policy page, which automatically assigns the default policy to all users and groups in your organization.
    Add a custom authentication policy
    1. Click Add Custom Authentication Policy > New Policy.
    2. Create a policy name, then configure the policy with your desired settings (listed below).
    3. Click Save.
    4. To assign users and groups to your customer policy, click the names of the ones you want to add under their respective tabs. The users and groups that will be added to your policy will appear under the Selected tab.
    5. Click Save.

    Below are the list of configuration options for your custom policy:

    iOS or Android Authorized Authentication Methods
    Enable or disable preferred biometric authentication options (fingerprint, facial recognition, pattern), and/or allow users to change the order in which they are presented. To automatically set the same policies for both iOS and Android, check the box in the upper-right navigation for The same as iOS policies setting.
    Note: Authorized authentication methods can be different based on users' devices (iOS and Android)
    iOS or Android Secondary Authentication
    If users fail to authenticate, you can select one of the following secondary authentication options that are served to the user:
    • Allow any authorized method
    • Allow all but first authorized method
    • Disable secondary authentication
    iOS or Android Step-up Authentication
    If websites or apps are protected by requiring use of authenticating using the LastPass Authenticator, choose from either of the following options:
    • Allow any authorized method (referring to iOS or Android Authorized Authentication Methods, listed above)
    • Allow all but the first authorized method
    iOS or Android Complementary Authentication
    If desired, select one or more of the biometric options presented.
    iOS or Android Authentication Limitations
    Set the maximum number of failed authentication attempts before a lockout, and/or the lockout time period after reaching the maximum number set.
    iOS or Android Allow Offline Mode for LastPass MFA ( passwordless authentication)
    Enable or disable Offline Mode, which is the ability for users to access their LastPass Vault or SSO apps when their mobile device is offline and unable to receive push notifications. This feature allows use of a one-time passcode in the LastPass Authenticator to authenticate.
    iOS or Android Prohibit Offline Mode when Geofencing is Enabled
    If a geofencing policy is enforced, you can enable or disable the ability for users to access their LastPass Vault or SSO apps in Offline Mode (because their location cannot be determined when offline).
    Recovery Contact
    You can add contact information (name, email address, or phone number) so that users know who to reach if they encounter issues logging in to their LastPass Vault or SSO apps.
    Note: This is an account-wide policy setting and is not available to configure for custom policies.
    Recovery by Email
    If a user must be sent a recovery email, select from the following options as to where it should be sent:
    • Primary email
    • Secondary email
    • Both primary and secondary email
    Note: This is an account-wide policy setting and is not available to configure for custom policies.