Use RSA SecurID Multifactor Authentication
LastPass Enterprise supports RSA SecurID as a form of Multifactor Authentication for user access to their LastPass Enterprise account. A second factor of authentication can protect your LastPass Vault against replay-attacks, man-in-the-middle attacks, and a host of other threat vectors.
Note: Feature availability may vary depending on your account type.
To get started, LastPass admins must complete the steps for enabling Multifactor Authentication in the Admin Console.
Limitations and compatibility
|RSA Authentication Manager Supported Features with LastPass Enterprise||RSA Authentication Manager Supported Features with LastPass Enterprise|
|RSA SecurID Authentication via Native RSA SecurID UDP Protocol||No|
|RSA SecurID Authentication via Native RSA SecurID TCP Protocol||No|
|RSA SecurID Authentication via RADIUS Protocol||Yes|
|RSA SecurID Authentication via IPv6||No|
|On-Demand Authentication via Native SecurID UDP Protocol||No|
|On-Demand Authentication via Native SecurID TCP Protocol||No|
|RSA Authentication Manager Replica Support||Yes|
|Secondary RADIUS Server Support||Yes|
|RSA SecurID Software Token Automation||No|
|RSA SecurID SD800 Token Automation||No|
|RSA SecurID Protection of Administrative Interface||No|
Configure the agent host
To facilitate communication between LastPass Enterprise and the RSA Authentication Manager / RSA SecurID Appliance, an agent host record must be added to the RSA Authentication Manager database. The agent host record identifies LastPass Enterprise and contains information about communication and encryption. Set the Agent Type to “Standard Agent” when adding the authentication agent.
Since LastPass will be communicating with RSA Authentication Manager via RADIUS, a RADIUS client that corresponds to the agent host record must be created in the RSA Authentication Manager. RADIUS clients are managed using the RSA Security Console.
The following information is required to create a RADIUS client:
- IP addresses for network interfaces
- RADIUS Secret
Note: The RADIUS client’s hostname must resolve to the IP address specified.
LastPass Enterprise employs a distributed architecture which encompasses many similarly configured servers. As a result of this architecture, RSA Authentication Manager administrators will need to configure agent host records and/or RADIUS clients for each LastPass Enterprise server. There are a few different methods for achieving this with varying amounts of administrative effort. These options are:
- Configure an agent host record and corresponding RADIUS client for each LastPass Enterprise server.
- Configure an agent host record for each LastPass Enterprise server with a shared RADIUS client.
- Configure a shared RADIUS client that does not use an agent host record (Global change).
Note: Refer to RSA Authentication Manager Administrators Guide for information on configuring shared RADIUS clients.
Set up and configure in LastPass
- Log in to LastPass and access your Vault by doing either of the following:
- Go to https://lastpass.com/?ac=1 and log in with your username and Master Password.
- In your web browser toolbar, click the LastPass icon then click Open My Vault.
- Select Account Settings in the left navigation.
- Click on the Multifactor Options tab.
- Click the Edit icon for RSA SecurID.
- For the "Enabled" option use the drop-down menu to select Yes.
- For the "Permit Offline Access" option, use the drop-down menu to choose from the following:
- Select Allow if you wish to allow access to RSA SecurID even when you are offline. This will store an encrypted Vault locally so you can log in without using Multifactor Authentication in case of a connectivity issue.
- Select Disallow to prevent offline access, which requires the use of Multifactor Authentication and to be connected to the internet when using RSA SecurID.
- For the "More Information" section, you can choose to be directed to the mobile app download or this article.
- Click Update when finished, then enter your Master Password and click Continue.
- When prompted, enter the verification code displayed in the RSA SecurID app on your mobile device, then click OK.
- Click OK on the confirmation message that RSA SecurID has been successfully set up.
Using the RSA SecurID Authenticate app
- Open the RSA SecurID app on your mobile device.
- On your desktop web browser, log in to LastPass at https://lastpass.com/?ac=1 with your username and Master Password.
- On your web browser, you can verify your login by doing the following:
- Enter a passcode on the login screen, then click Authenticate.
- Enter a new PIN (4-8 alphanumeric characters), then click Authenticate.
- Enter the system-generated pin, then click Authenticate.
- Finally, enter the next PIN. If desired, check the box to enable the option, "Trust this computer for 30 days" and provide a computer name, then click Authenticate. Learn more about managing your trusted devices.
About using multiple Multifactor Authentication options
Please note that if you have more than one Multifactor Authentication option enabled for your account, you must select your desired default authentication option from the drop-down menu at the bottom of your Multifactor Options window in order to be prompted to authenticate with your preferred option when logging in to LastPass.
Enforcing RSA-related policies
With LastPass Enterprise, you can leave the Multifactor Authentication decision up to your end users, or you can mandate its use with our configurable security policies. Here are some policies that you might consider implementing relative to RSA SecurID:
- Require use of RSA SecurID – Require use of RSA SecurID as a second factor of authentication when logging into LastPass. RSA SecurID must be configured by the user.
- Require use of any multifactor option – Require use of any multifactor option as a second factor of authentication when logging into LastPass. The following authenticators are supported:
- Use the LastPass Authenticator
- Use the Google Authenticator
- Use Microsoft Authenticator
- Use Toopher Authentication (no longer available for new users)
- Use Duo Security Authentication
- Use Transakt Authentication
- Use Grid Multifactor Authentication
- Use YubiKey Multifactor Authentication
- Use Windows Fingerprint Authentication
- Use Smart Card Authentication
- Use Sesame Multifactor Authentication
- Use RSA SecurID Multifactor Authentication
- Use Symantec VIP
- Use SecureAuth Authentication
- Restrict Multifactor Trust – Restrict computers that can be trusted by IP address. You can enable this policy to allow users to skip second factor authentication from trusted locations (such as the office) but still require it from remote locations.