Multiple MFA devices when disabling is disabled?

Customer forum for LastPass Enterprise

Moderators: admin, azitnay, anatoly_LP, chantieLP, JoeSiegrist, robyn

Multiple MFA devices when disabling is disabled?

Postby catbrier2 » Wed Jun 06, 2018 7:49 pm

My organisation has disabled users' ability to turn off MFA. I have Lastpass Authenticator on my phone, so to get work done I need my Surface plus my iPhone.

Background story: Today I left my phone at home, so I had to email the support team to turn off MFA for me. However, they didn't respond. I ended up going home to get my phone, then coming back into the office. Wasted 1.5 hours doing this round trip.

To avoid being locked out of Lastpass when I leave my phone at home, I'd like to have some sort of MFA option on my Surface. This FAQ says that it's possible to have multiple MFA devices set up:
* Can I use more than one form of Multifactor Authentication at the same time?

However, I'm not sure if this will help, because the FAQ says that the second device is only invoked if the first has been disabled. And disabling MFA is the very thing that we aren't allowed to do at my organisation.

Can anyone confirm (or clarify) my understanding of whether multiple MFA devices would work in my situation?

Thanks!
catbrier2
 
Posts: 2
Joined: Wed Jun 06, 2018 7:35 pm

Re: Multiple MFA devices when disabling is disabled?

Postby FlyingHawk » Thu Jun 07, 2018 12:11 am

There seems to be some confusion in the post.

You can absolutely have multiple MFA devices working at the same time (phone1 / phone2 / phone3...).
What you can't have is multiple MFA methods working at the same time (LP authenticator / Grid / Yubikey...).

On your problem:
LastPass Authenticator only exists on mobile platforms, so you can't set up your Surface as a MFA device.
You can probably do the following:
Enable Google Authenticator as MFA, but use Authy to scan the barcode.
Authy is a multi-platform 2FA app with synchronization. It can be installed on mobile or computers, so you can set it up on both your iPhone and Surface.
After you've set up Authy, disable LP authenticator as a MFA method.

Depending on your organization's policy, the last step may be tricky.
You still have "Google authenticator" (but really you're using Authy) enabled, so you're not disabling MFA entirely. If your organization's policy is sensible, it should be allowed.
FlyingHawk
 
Posts: 775
Joined: Wed Mar 18, 2015 12:04 pm

Re: Multiple MFA devices when disabling is disabled?

Postby catbrier2 » Thu Jun 07, 2018 12:46 am

Thanks FlyingHawk.

You are right about my level of confusion. Thanks for clarifying the distinction between devices & MFA methods.

I'll have a play with your suggestion, to see if it's allowed.
catbrier2
 
Posts: 2
Joined: Wed Jun 06, 2018 7:35 pm


Return to LastPass Enterprise

Who is online

Users browsing this forum: No registered users and 6 guests