cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

For more information about the LastPass security incident please visit our blog

catbrier2
New Contributor

Multiple MFA devices when disabling is disabled?

My organisation has disabled users' ability to turn off MFA. I have Lastpass Authenticator on my phone, so to get work done I need my Surface plus my iPhone.

Background story: Today I left my phone at home, so I had to email the support team to turn off MFA for me. However, they didn't respond. I ended up going home to get my phone, then coming back into the office. Wasted 1.5 hours doing this round trip.

To avoid being locked out of Lastpass when I leave my phone at home, I'd like to have some sort of MFA option on my Surface. This FAQ says that it's possible to have multiple MFA devices set up:
* [url=https://lastpass.com/support.php?cmd=showfaq&id=5686:2txwvmpc]Can I use more than one form of Multifactor Authentication at the same time?[/url:2txwvmpc]

However, I'm not sure if this will help, because the FAQ says that the second device is only invoked if the first has been disabled. And disabling MFA is the very thing that we aren't allowed to do at my organisation.

Can anyone confirm (or clarify) my understanding of whether multiple MFA devices would work in my situation?

Thanks!
2 REPLIES 2
FlyingHawk
Active Contributor

Re: Multiple MFA devices when disabling is disabled?

There seems to be some confusion in the post.

You can absolutely have multiple MFA devices working at the same time (phone1 / phone2 / phone3...).
What you can't have is multiple MFA methods working at the same time (LP authenticator / Grid / Yubikey...).

On your problem:
LastPass Authenticator only exists on mobile platforms, so you can't set up your Surface as a MFA device.
You can probably do the following:
Enable Google Authenticator as MFA, but use Authy to scan the barcode.
Authy is a multi-platform 2FA app with synchronization. It can be installed on mobile or computers, so you can set it up on both your iPhone and Surface.
After you've set up Authy, disable LP authenticator as a MFA method.

Depending on your organization's policy, the last step may be tricky.
You still have "Google authenticator" (but really you're using Authy) enabled, so you're not disabling MFA entirely. If your organization's policy is sensible, it should be allowed.
catbrier2
New Contributor

Re: Multiple MFA devices when disabling is disabled?

Thanks FlyingHawk.

You are right about my level of confusion. Thanks for clarifying the distinction between devices & MFA methods.

I'll have a play with your suggestion, to see if it's allowed.