One of the most crucial steps in securing a modern business computing environment is to add multi-factor authentication (MFA), so that an attacker who steals credentials can't gain access to protected resources. According to a 2019 Microsoft study, requiring the use of an additional authentication factor besides a password blocks 99.9% of automated attacks on cloud-based services. A separate report from Google from around the same time came to a similar conclusion.
That fact explains why the developers of password management software are creating tighter links between their products and MFA technologies. The latest entrant is the widely used LastPass, which today announced the release of a new LastPass Authenticator mobile app.
The new app, which is free for anyone, including LastPass customers with free accounts, consolidates functionality that was previously split into two apps, with a separate LastPass MFA app for business customers. According to Akhil Talwar, Director of Product Management for LastPass parent company LogMeIn, the availability of two apps was confusing to some consumer customers, who inadvertently downloaded the wrong solution.
The updated app is available for Android devices today and should be available for iOS devices in the next week. The LastPass MFA app will continue to work for business customers that have deployed it, although the company expects those customers to migrate to the new app over time.
LastPass isn't the first technology company to make this sort of move. Microsoft similarly offered two authenticator apps, one for Microsoft accounts and the other for business and enterprise accounts running under Azure Active Directory, before releasing a unified Authenticator app in 2016.
The new LastPass app should be familiar to anyone who's used similar apps like Google Authenticator or Authy. (For an overview of the technology, see "Better than the best password: How to use 2FA to improve your security.")
Compared to the bare-bones Google solution, the updated LastPass Authenticator offers a few usability advantages, including the ability to sort, search, and filter a long list of saved MFA providers. Like Authy and Microsoft Authenticator, the LastPass app also includes the ability to back up and restore configurations and to save manual backup codes in the LastPass vault.
The new app also supports passwordless logins on accounts that support Security Assertion Markup Language (SAML). So, for example, a user who has paired the LastPass app with an Azure AD account can sign in to a Windows workstation by responding to a prompt rather than entering a TOTP code, similar to the mechanism that Microsoft Authenticator uses.
For businesses, LastPass can also act as a full identity platform, offering enterprise style single sign-on functions for smaller businesses, implemented with the help of a managed service provider. That sort of setup makes it easier to onboard new employees and securely shut off their access to protected resources when they leave the company.
One feature you won't see in the new LastPass app is combined access to passwords and MFA codes. That functionality is available in competing password managers like 1Password and recently debuted in Microsoft Authenticator. For now, Talwar says, LastPass customers are leery of combining both functions in the same app.