AUTHENTICATION SOLUTION
LastPass multifactor authentication (MFA)
Multifactor authentication (MFA) provides superior security by requiring two or more different factors of authentication to verify a user’s identity compared to two-factor authentication (2FA).
No credit card required for trial. After the trial, LastPass Business is $7 per user/month.
The benefits of multifactor authentication
Robust authentication system
MFA goes beyond two-factor authentication by requiring multiple forms of additional security – more barriers between hackers and your data.
Phishing-resistant verification
Contextual and biometric authentication processes requires user’s identity verification to protect accounts against unauthorized access.
Business security prioritized
Combine MFA with single sign-on and additional security methods to create a robust identity and access management solution for your business.
Simplified user experience
Adaptive MFA methods secure your business with additional layers of security while streamlining the login experience for end-users.
While a password manager improves basic business security, it can still leave you vulnerable to cybercriminals and cyberattacks. From brute-force to phishing attacks, hackers can find a way past your passwords if the try hard enough.
Multifactor authentication
Multifactor authentication (MFA) puts multiple barriers between hackers and your accounts by setting up a multi-step authentication process that must be completed before access is approved. This can include SMS one-time passwords or mobile device push notifications.
Adaptive authentication
Adaptive MFA enhances security further by requiring forms of identity verification. These phishing-resistant authentication methods include fingerprint scans, facial recognition, location-based factors, and IP address authentication.
Device-based authentication
An MFA solution completed on a user’s device, through a service like the Microsoft Authenticator or the LastPass authenticator app. On Android or iOS devices it’s usually implemented as push notifications or SMS one-time passcodes.
Biometric identity verification
Users authenticate themselves using biological characteristics like fingerprint scan, facial recognition, or a retina scan. This method protects against unauthorized access by requiring a user verify their physical identity to log in.
Contextual authentication
Authentication which verifies a user’s identity based on environmental factors. Authentication methods include only allowing access during working hours, verifying identity based on a user’s IP address, or affirming a user based on their geolocation.
Authentication via hardware keys
Authentication can also be completed using FIDO2-certified hardware keys from Feitian or YubiKey, which are small USB devices you insert into your device to prove your identity when logging in.
Enable LastPass vault MFA
Enable MFA for LastPass password vault access by making it part of your LastPass security policy.
Advanced MFA
Extend access security everywhere with Advanced MFA, which offers MFA for VPNs, workstations, on-premises apps, and identity providers.
LastPass as complete identity suite
Integrate LastPass with your organization’s identity provider and pair MFA with single sign-on (SSO) for a robust identity and access management (IAM) solution.
Learn more about passwordless
Frequently asked questions
Multifactor authentication (MFA) is a means of logging in to accounts: with MFA, an end-user is required to complete multiple authentication methods before access is granted.
For instance, single-factor authentication is the most common way of logging in. This includes a username/email and corresponding password. When input correctly, account access is granted. The problem with single-factor authentication is it’s easy for hackers to brute force.
Two-factor authentication (2FA) requires an additional form of authentication on top of the username-password combo. This often includes a push notification sent to your mobile device or a one-time passcode sent via SMS. It enhances security by requiring another form of identity verification on top of a password.
Multifactor authentication goes even further by requiring two or more authentication methods on top of the username-password combo. Additional authentication includes biometrics – fingerprint scans and facial recognition – and contextual methods, like IP address verification, location-based authentication, and more.
With MFA, you can combine these to enhance security without affecting the end-user experience. For instance, on top of username-password credentials, you can require users to input a one-time passcode and complete a fingerprint scan while also checking their location – to verify the request is coming from where it’s expected.
The three most common types of MFA are something you know, have, and are:
- Something you know: this is usually a unique password you created or a knowledge-based security question, like the name of your favorite high school teacher, your first pet’s name, or the make and model of your first vehicle.
- Something you have: for MFA, this usually includes a mobile device or a hardware key you can plug into your computer’s USB slot. A user’s trusted mobile device can receive push notifications to be approved for authentication, or you can insert a hardware key to verify you’re identity.
- Something you are: this is biological information specific to you. MFA methods that leverage this are referred to as biometric methods, and they include MFA methods like fingerprint scans, facial recognition, or retina scans.
There is a fourth method available, too, though it’s usually only implemented by companies who desire the highest level of security – say, for instance, if they handle sensitive user data. This is not something but a somewhere: it’s an MFA method that verifies a user’s identity based on where they are. Location- and time-based MFA is known as contextual MFA, and it will only allow users to gain access if they are logging in from an expected location or during a set timeline.
For instance, with contextual MFA, an admin can set contextual MFA methods per end-user, so a user who lives in Boston can be approved access only if they log in between 8:00 AM - 6:00 PM (EST) and anywhere within a 50-mile radius ojavascript:void(0);f Boston.
LastPass supports multifactor authentication in numerous ways. Users can connect their LastPass account to other services, like the Microsoft Authenticator, or download and use the LastPass Authenticator app. End-users can also use the MFA methods built into their mobile devices, like their smartphone’s fingerprint scanner, to support biometric MFA.
A password is considered a single-factor authentication. It is the first step to securing your account: you generate a unique password that only you know; you verify your identity and gain access to your account by correctly inputting your password when logging in.
Multifactor authentication is anything that requires more than two-factor authentication to log in. MFA usually includes three methods of authentication. This can look like the following:
- Correctly input your username and password.
- Input a one-time passcode sent to your mobile device as an SMS text.
- Complete a fingerprint scan on your phone to verify your physical identity.
Those two additional steps protect your accounts against hackers because they require information that’s nearly impossible for them to attain: access to your personal device and access to your biometric information.
Standard multifactor authentication (MFA) is available to all LastPass plans, from LastPass Free to LastPass Business. This is also true for passwordless vault login, but LastPass Free users can only use the LastPass Authenticator app to enable passwordless MFA login.
Hardware MFA methods, like standalone fingerprint scanners and hardware keys such as YubiKey, are available only for LastPass’s paid plans.
MFA for VPNs, workstations, on-premises apps, and identity providers is only available as part of our LastPass Business Max accounts.