Prohibit Sharing Except for Shared Folders
LastPass offers password sharing to help employees securely and conveniently share logins with others inside and outside the organization. By default, individuals can share items one-on-one, or teams can easily collaborate and access shared accounts by setting up shared folders. However, any credentials shared one-on-one are not visible to admins. Enabling the "Prohibit Sharing Except for Shared Folders" policy restricts password sharing to designated shared folders only and does not allow employees to share individual accounts. As a result, this LastPass policy lets admins keep track of all shared access and ensure transparency. Of course, employees can still create shared folders, add relevant sites, and share them with their teams. However, admins will be able to see when such sharing occurs, enhancing overall security and accountability.
Recommend or Require Linked Personal Account
LastPass is beneficial at home and in the workplace, offering secure storage and management of credentials in both places. However, to ensure the security and privacy of both data sets, an employee should be encouraged to create two LastPass accounts - a personal and a work account. Then, LastPass allows users to "link" their personal and business LastPass accounts, providing a unified view of all login credentials in a single vault. Admins don't have visibility into the personal LastPass vault, while users can access credentials from both vaults as they work. By recommending or requiring linking accounts via the LastPass Admin policies, you nudge employees to leverage LastPass to better secure their own logins, such as email, social media, and online shopping. Promoting the use of linked accounts also helps employees understand the value of LastPass, promoting the adoption and usage of LastPass as employees get comfortable with password management features and more quickly develop better security habits. Good security at home, in turn, translates to better protection in the workplace. Linking personal accounts also facilitates a smooth transition when employees leave the organization, as admins can instantly revoke access to work accounts so employees walk away with only their personal passwords.
Require Multi-Factor Authentication
In today's threat landscape, enforcing an additional layer of security beyond traditional username and password authentication is crucial. Requiring employees to use multi-factor authentication (MFA) significantly enhances the protection of sensitive data. By using additional information to verify a user's identity, organizations can eliminate many common cyber threats and reduce the threat of data breaches. LastPass integrates with various MFA services, such as smartphone apps, software-based services, and hardware tokens. By enabling the LastPass admin policy to "Require Multi-Factor Authentication," you ensure that employees validate their identity using additional information during login to LastPass. Implementing MFA across all applicable platforms, including LastPass, single sign-on, and user directories, is advisable to mitigate the risk of unauthorized access.
