LastPass 101: Our Security Model

The security of your organization is directly impacted by the security of the software you use. When it comes to facilitating employee access to work resources while keeping attackers out, the security standards of your identity solutions are even more critical. Tens of thousands of businesses around the world rely on LastPass to provide critical services and protect sensitive data. That’s why security is always LastPass’ first priority.

A zero-knowledge security model

LastPass is designed to keep sensitive data safe using a local-only security model. LastPass does not send or store the master password. Encryption with 256-bit AES (utilized by banks and the military and widely accepted as impenetrable) happens exclusively at the device level before syncing to LastPass for safe storage, so only users can decrypt their data. Biometric data is also encrypted at the device level and never leaves the user’s device, protecting biometric data from server-side attacks. We believe that if LastPass is built so that it can’t access your data, neither can hackers.

Third-party validation

Don’t just take our word for it; our security is vetted by third parties, too. LastPass has achieved SOC I, II, and III compliance, widely recognized as a gold standard in confirming the reliability and security of software. We also engage trusted, world-class, third-party security firms to conduct routine audits and testing of the LastPass service and infrastructure. Our bug bounty program incentivizes responsible disclosure and improvements to our service from top security researchers.

Features to improve security

We don’t just build security into the product; we also make features available for businesses to take security into their own hands. Whether through customizable, granular security policies, the use of multifactor authentication for all employees, the use of secure protocols, and more, LastPass gives IT more control without inconveniencing employees.

Watch our video to learn more about the LastPass approach to security: