Create a Policy to Not Allow Users to Trust Devices

cancel
Showing results for 
Search instead for 
Did you mean: 

Create a Policy to Not Allow Users to Trust Devices

0 Kudos

Create a Policy to Not Allow Users to Trust Devices

LastPass is one of our key systems at our office (~40 users) and since it is so critical I feel that we need to stress MFA after every login. While it is not conventional we would like to NOT ALLOW our users to remember their device(s) for 30 days. We already have other systems in our office where users must allow an MFA push notification before accessing some of our other systems, this push notification happens every time they request access to these systems without exception. We take security in our office very seriously and we have found that eventually you get use to the MFA every time you login. We also find that it is very helpful to have a backup MFA device like a security key that we can assign to users who forget their phone for the day (yes this actually happens).

 

While we realize that this feature alone will not help increase our security or reduce our risk we still get calls from people from time to time who are so used to getting MFA notifications that when they forget that they checked the "trust this device for 30 days" they call us in a panic that something is wrong with LastPass as it did not prompt them for MFA. So if anything it is a visual indicator that something might be wrong.

 

Hope everyone reading this has a nice day and I look forward to the discussions.