Breaking Down Identity: The Top 10 Most Frequently Asked Questions

We recently announced the expanded LastPass business suite which has taken the LastPass business lineup from password management to an identity solution inclusive of password management, single sign-on and multi-factor authentication.  

In our latest webinar, Modern Identity: Unifying Access and Authentication, we walked through the expanded business lineup, shared details on our new identity research, and did a live demo of LastPass Identity. We received many great questions from our audience and wanted to summarize the most frequently asked questions we’ve been hearing around identity from the webinar and our customer conversations thus far. Here are the top 10 questions:

1.What was the reason LastPass decided to expand beyond password management into the identity market?

We’ve moved into the identity market based on our customer feedback. After countless customer conversations on password management over the past decade, it became clear that many organizations were using LastPass as their first step in identity management. Organizations were not only using LastPass to securely manage passwords, but also to complement their single sign-on solution, and even begin to deploy multi-factor authentication. This signaled to us how password management is a starting point and a portion of managing user identity, and that there was a gap in organizations today. That’s why we’ve built a simple and secure identity solution to enable our customers to address these challenges, all while continuing to invest in and optimize our password management.

2. What does LastPass now offer for password management?   

We are continuing to offer every password management functionality that has existed within LastPass and have a full roadmap of how we will continue enhancing our password manager to meet your needs. For example, we just released federated login with Microsoft Azure AD which was among the most requested features from our password management customers. If you’re interested only in password management, LastPass can and will continue to simply secure every password in the business. If you’re interested in identity, access or authentication – LastPass can support those needs as well. We are building LastPass to be an identity platform that can help simplify security in your organization, and those requirements are unique for every organization. 

3. What’s the difference between each of the LastPass business solutions?  

We now offer 4 different LastPass business solutions: Teams, Enterprise, MFA and Identity. 

LastPass Teams is built for organizations of 50 or less who are looking to address password management challenges through smart password storage, convenient password sharing, and an easy-to-manage dashboard. 

LastPass Enterprise protects every access point in the organization through a combined password manager and single sign-on portal. For password management, LastPass Enterprise is the industry-leading enterprise password manager with over 47,000 business customers worldwide, 100+ customizable password management policies, an Admin dashboard, secure sharing, flexible integrations, federated login and in-depth reporting. For single sign-on, LastPass Enterprise includes a single sign-on (SSO) portal with over 1,200+ SAML 2.0 application integrations and flexible policies such as restricting access by geolocation or IP address. LastPass Enterprise is ideal for organizations looking for complete flexibility, control and security in managing access. 

LastPass MFA is a multi-factor authentication solution that combines both biometric and contextual factors to increase the security of the login experience, without getting in the way of employee’s work. LastPass MFA works across cloud, legacy, on-premise apps, email and VPN. Examples of biometric authentication factors are employees authenticating using their fingerprint of face ID. Contextual factors adapt with the context of the login; LastPass MFA includes policies to approve or deny a login based on geolocation, IP address and time. LastPass MFA is ideal for organizations seeking to implement a more seamless and secure way to authenticate employees. 

LastPass Identity is everything included in LastPass Enterprise and LastPass MFA in one bundled solution. LastPass Identity includes enterprise password management, single sign-on and multi-factor authentication, and is ideal for organizations to obtain unified visibility and control across all their employees. 

4. What’s the difference between LastPass Enterprise and LastPass Identity? 

LastPass Enterprise includes password management and single sign-on. LastPass Identity includes password management, single sign-on AND multi-factor authentication. The main difference between LastPass Enterprise and LastPass Identity is that LastPass Identity includes adaptive multi-factor authentication. LastPass Identity is a unified solution that includes all of the functionality from LastPass Enterprise and LastPass MFA.

5. What’s the difference between two-factor authentication (2FA) and multi-factor authentication (MFA)? 

Authentication adds security factors to the login process. By adding more factors, IT can better prove that someone is who they say they are, while making it much harder for a fraudulent user gain access. 2FA combines two distinct factors to the login process: a password and typically a code generated by an app on your phone. While 2FA solutions double the security of the login process, they often lack granular controls, integrations and reporting. MFA takes 2FA a step further and combines 2 or more factors to the login process: something you know (like a password), something you have (like your phone) and something you are (like a fingerprint). MFA offers insight into who is logging in and when and provides IT with the confidence that only right users are logging in without interrupting employee’s productivity. 

6. What are contextual authentication factors? 

Contextual authentication factors are factors that adapt with you. For example, if you log into a work application on a weekday during normal business hours at your corporate office, that is suspected behavior of an employee. However, if there’s a login on a weekend in the middle of the night in a new location, that is suspicious behavior. Contextual authentication factors detect these differences and approve or deny the authentication request accordingly. 

LastPass MFA supports multiple types of contextual policies. With geofencing, Admins can create green zones (approved places to access) and red zones (non-approved places to access), to restrict access from any desired locations. LastPass MFA also provides IP-based policies to whitelist IP addresses (approved IP addresses) or blacklist IP addresses (block unwanted IP addresses), as well as time-based policies to restrict access outside of defined hours. 

7. How does single sign-on work? 

Single sign-on enables employees to access multiple resources in a network using only one set of credentials. Admins assign employees with the applications required for their role, and employees can log into all of their assigned applications once they are logged in with LastPass. The way it works in the background is through a protocol, we use the Security Assertion Markup Language (SAML) 2.0 web standard, which builds a relationship between LastPass and the given application. The relationship built by the SAML 2.0 protocol establishes a secure connection that eliminates the need for a password. LastPass Enterprise and LastPass Identity include the single sign-on catalog and offer this type of integration for 1,200+ applications that enables you to assign employees the apps required for their role. 

8. What’s the difference between federation with Azure AD and LastPass’ single sign-on?   

With LastPass, you have the flexibility to simplify access regardless of your identity provider. LastPass Enterprise and LastPass Identity support federated login with both Active Directory and Azure Active Directory. Federated login eliminates the LastPass Master Password, so employees only have one password to access their work: their directory password. Federated login uses the directory as the identity provider, which is the source of truth for where Admins manage access for employees. Federation connects LastPass to the identity provider to eliminate the LastPass Master Password. 

Alternatively, LastPass Enterprise and LastPass Identity can be used as an identity provider using the single sign-on portal. You can automatically add users to LastPass and use LastPass as your source of truth for managing users in your business. Once users are provisioned to LastPass, they can be assigned the appropriate applications for their role through our single sign-on app catalog. Once assigned, employees can access all of their resources without an additional password.  

9. Does adding single sign-on change LastPass’ zero-knowledge security model?  

LastPass is still built on a zero-knowledge security model. LastPass employs local-only encryption, also known as “host-proof hosting”. This type of solution is designed to allow only a LastPass user to decrypt and access their data. We call this “Local-Only Encryption”, which means that all sensitive vault data is encrypted and decrypted exclusively on the user’s local machine (such as Chrome, Firefox, iPhone, Android, the Web Vault, etc.), rather than after the data syncs to LastPass’ servers.  

10. If I am already an Enterprise customer, how do I gain access to single sign-on and multifactor authentication? 

LastPass Enterprise customers automatically receive the single sign-on portal in their accounts at no additional cost, and there is also a policy to disable users from seeing single sign-on in their Vaults if desired. If you would like to add multi-factor authentication to your account, you can upgrade to LastPass Identity which encompasses all the functionality from LastPass Enterprise and LastPass MFA in a single solution. 

Keep the questions coming!  

For existing LastPass Enterprise customers, the easiest way is to get started with LastPass Identity is to take out a free 14-day trial on If you’re new to LastPass, you can take out a LastPass MFA trial to experience how our multi-factor authentication adapts with your business, or a full LastPass Identity trial to experience how password management, single sign-on and multi-factor authentication provide unified security and control across your employees.