Showing results for 
Search instead for 
Did you mean: 

AD Connector: SuperAdmin behavior when logging in with MFA needs improvement

 This was found in our own troubleshooting before we opened a ticket.

 * Two super admins on our LastPass account, one has only LP MFA configured, the other has LP MFA, Duo and Yubikey configured.  We permit multiple types of MFA to be used, and it just happens that the other SuperAdmin does not have Yubikey/Yubico or Duo yet configured but it is not required for them so thus it is not expected for them to have it configured at this time.

 * The Admin with only LP MFA got a LP MFA challenge.  This eliminates that LP MFA isn't an issue for getting into AD Connector as a SuperAdmin (could not find documentation that details what MFA is supported by AD Connector so where there is not documentation there are assumptions).

* The Admin with three forms of MFA was prompted for a Multifactor key, but the type of MFA was not specified by AD Connector (it does not specify the type of MFA that it's expecting to be provided).  Both Duo and LP MFA were attempted but failed.  The assumption here is that Yubikey was expected but it was not explicitly asked for in the screen.

* AD Connector does not identify the MFA form that is expected to be provided by the SuperAdmin.  It just says "Multifactor key" and unlike other LastPass challenges, does not indicate what form of MFA it's expecting you to use or provide.


*  AD Connector MFA does not follow the Default MFA Settings granularly set inside a SuperAdmin's account.


*  AD Connector MFA SEEMS​ to use the strongest MFA type that a specific user's account has configured, but that is neither listed anywhere as a requirement or something that SuperAdmin needs to be aware of when using AD Connector.


*  This is the first AD Connector connection we have tried when a user had more than 3 MFA forms configured.  This behavior was not expected, nor does it follow an expected MFA flow.

So the end questions are we have asked of Support is:
* What MFA is supported for AD Connector?
* What MFA is expected for AD Connector?
* Does AD Connector adhere to the Default MFA set per a SuperAdmin's individual account?
* How does AD Connector determine the MFA that is expected when using AD Connector?
* Why does AD Connector not identify the MFA type that it's asking for during the prompt window?
* What MFA does AD Connector select if Two Different "Strong" forms of MFA have been configured?


If anyone else is having similar challenges or wants to tag onto any FR's that are activated by these Q, let me know and I'll share whatever we were told you would need to submit to "endorse" that improvement.


Re: AD Connector: SuperAdmin behavior when logging in with MFA needs improvement

Update, apparently Yubikey/Yubico has enforcement over other methods (even though there is nothing stating this is expected, intended, etc). We expect to push for this to be filed as a bug, it should not ignore the default authentication method set per SuperAdmin's account. Will keep board appraised.

Re: AD Connector: SuperAdmin behavior when logging in with MFA needs improvement

Last update for this folks!


Was informed by support and engineering that unless we were willing to follow a set of instructions, video and generate/upload files that they would not continue to troubleshoot the issue with Yubikey overriding all other MFA types when using AC Connector.


Support/Engineering identified they could replicate the issue on their side, but since we neither have a test environment, and are unwilling to use our own Production environment as a "test" bed for providing the logs that have been "required" they have decided that the issue we found will not be labeled as an issue or fixed until such logs/documents/videos are provided.


We are not satisfied with the response that was given, but as we are not willing to spend the time to validate what we already know is an issue, we want others to know that use of Yubikey on an account will be the only accepted MFA when using AC Connector, and no this is not currently documented by LastPass at the time as a "limitation".