LastPass
LastPass Enterprise-password management and SSO solution that gives ability to securely store, create and access user identity and credentials for online applications/websites.
LastPass Identity-next-gen identity platform combining password management and SSO with adaptive MFA
LastPass MFA-intuitive authentication experience that's simple to use, easy for admins to deploy across cloud/legacy/on-premise apps/VPN.
Features
- Reliable and save fill for every password
- 100+ Security Policies
- Built-in Password Generator
- Supported Browser Extensions and Mobile app; access anywhere
- Encrypted Vault & Master Password
- Secure Password Sharing
- Directory Integration & APIs
- Zero-Knowledge Data Security Model
Benefits
- Increase Password Security
- Safe Password Storage / Protection
- Access Management
- Password Security Audits
- Increase Productivity (reduce password recovery)
Pricing
£42.84 a licence a year
- Education pricing available
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 13
Service ID
8 0 2 7 7 6 4 4 5 0 8 1 6 1 5
Contact
GOTO TECHNOLOGIES UK LIMITED
Channel Sales operations @ GoTo
Telephone: 00353858885888
Email: PartnerOps-International@GoTo.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Public cloud
- Service constraints
- To check supported versions, Go to LastPass Icon > More Options > About LastPass, where you will find the version number and the build date. Our release notes can be found here https://lastpass.com/upgrade.php. We do not have breakdown of users per version to share publicly. .We have previously built versions of LastPass for platforms that we no longer develop for. Users are welcome to install and use them, but we cannot offer technical support for these versions.Windows Mobile 5+Symbian S60 3rd+Palm webOSUsers are strongly recommended to download and run the installer from our website on all browsers you regularly use.
- System requirements
- https://support.lastpass.com/help/system-requirements-for-users-lp010008
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
-
24x7 Phone Support with an average answer time of 30-60 seconds
24x7 Email Support with an intial response within 24hours
Our support is rated #1 across competitive sites and reviews from numerous customers. - User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 24 hours, 7 days a week
- Web chat support
- Web chat
- Web chat support availability
- 24 hours, 7 days a week
- Web chat support accessibility standard
- WCAG 2.1 AA or EN 301 549
- Web chat accessibility testing
-
We conducted 3rd party independent assessments to train our teams on development practices and tools required to achieve WCAG 2.1 Level AA compliance for our web chat tool, which powers the support chatbot. These include the following testing methods:
•JAWS 15 (or above) screen reader with Internet Explorer 11
• NVDA screen reader with Firefox
• Dragon naturally speaking 12+ with IE
• ZoomText 10+ with Internet Explorer
• Ensure the service can be used without a mouse – Chrome
• Ensure the service is accessible to people who have a disability but do not require
assistive technology – Chrome/Safari
Colour Blind, Dyslexic, Learning Disabilities, Deaf, Aspergers, and Anxiety/Panic
disorder
• Testing on iPad and iPhone using native browser
• VoiceOver with Safari on iPhone
• Zoom with Safari on iPad
• TalkBack on Android
These were conducted both via automated and manual testing approaches - Onsite support
- Yes, at extra cost
- Support levels
-
Phone Support 24x7. The support number is exclusively for LastPass Admins in the Admin consolte; LastPass Teams admins and end users can request a call back from support through the Support Center.
Ticket support: You can submit a ticket via our support center at any time; approporiate priority levels are given.
Online Support center and knowledge base: search and find solutions for FAQs, get 24/7 acess to our extensive online knowledge base and engage in user-to-user support in the LastPass community - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
As you begin your deployment, various self-help guides will activate within the Admin Console, walking you through the tool's basic features and pointing you to additional resources. LastPass utilizes Embark, an online e-learning resource that hosts recorded and live sessions on all aspects of LastPass, for Admins and employee end-users. This is always available throughout the length of your subscription.
LastPass Business is a premium product with premium support. Through the LastPass Community, Support Site, or by contacting support, which is available 24/7. Your LastPass Business account may also qualify for a Customer Success Manager (CSM) based on the size of your account. In this case, a CSM will be assigned to you and is available to support your implementation and provide ongoing product updates. Additional VIP Support is also available for purchase through your sales representative. - Service documentation
- Yes
- Documentation formats
-
- HTML
- Other
- Other documentation formats
- Video
- End-of-contract data extraction
-
LastPass users can delete their own accounts and associated Content via the “Delete your Account” page located at https://lastpass.com/delete_account.php. Users without access to their LastPass vault and/or email address can submit a service request to the Care team, who will authenticate the user and delete the account and Content within 30 days of the request.
Free accounts, including the Content located therein, shall automatically be deleted after two (2) years of inactivity (i.e., no logins). - End-of-contract process
- As specified in the "End-of-contract" process, each customer may delete or export relevant Customer Content, and in any regard, such Content would be subject to reasonable retention periods (as specified in the "end-of-contract data extraction" section above). Additional information can be found at the product-specific Technical and Organizational Measures Resource (https://www.goto.com/company/trust/resource-center). GoTo is always seeking feedback and areas for improvement, both throughout the contract lifecycle, as well as thereafter; this may include, if permitted to do so, soliciting input from our users.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Opera
- Application to install
- Yes
- Compatible operating systems
-
- Android
- IOS
- MacOS
- Windows
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
-
Please reference:
https://support.lastpass.com/help/lastpass-for-android-lp060001
https://support.lastpass.com/help/lastpass-for-ios-lp060002 - Service interface
- Yes
- User support accessibility
- WCAG 2.1 AA or EN 301 549
- Description of service interface
-
The Admin console provides admins the capability to add/remove users or groups from the service. In addition it allows them to change settings that affect the users in the account. Most prominently these are the policy settings where functionality or behaviour of the product can be controlled for the end users. Key features are:
* Manage users and groups
* Manage policies
* Change account settings
* Configure integrations such as directory synchronizations ore federated login
* Manage email notifications
* Reporting of user and admin activity - Accessibility standards
- WCAG 2.1 AA or EN 301 549
- Accessibility testing
-
• We regularly self-assess (2 times in 2021) against WCAG AA, Section 508 and EN 301 549
• We are building a component based design and frontend system in 2022 and beyond that has accessibility as a requirement
• We are advocating for a culture (in design and engineering too) that has accessible software as a base need rather than an afterthought - API
- Yes
- What users can and can't do using the API
-
LastPass has an provisioning API (https://support.lastpass.com/help/use-the-lastpass-provisioning-api-lp010068) which is not accessible for end-users, only for admins to create, modify or delete users and groups for individual directory integrations.
The LastPass command line application is an open source project that allows you to create, edit, and retrieve passwords in your online LastPass Vault via the terminal on Mac, Linux, and Windows using Cygwin. You can also generate passwords for every server you use, and securely store those passwords directly in LastPass, as well as use subcommands. Additionally, LastPass Enterprise users can automate sharing using shared folders.
https://support.lastpass.com/help/use-the-lastpass-command-line-application-lp040011 - API documentation
- Yes
- API documentation formats
-
- HTML
- Other
- API sandbox or test environment
- Yes
- Customisation available
- No
Scaling
- Independence of resources
- GoTo leverages a multi-tenant architecture which is logically separated at the database level based on the organization’s GoTo account. Only authenticated parties are granted access. Solution is built with full redundancy of our data centers, reducing the risk of downtime and single-point-of-failure.
Analytics
- Service usage metrics
- Yes
- Metrics types
-
LastPass Enterprise offers extensive reporting to help you safeguard your organization’s data and build compliance. Available in the Admin Console, the Reports feature offers admins an audit trail that can also be exported to be shared with key stakeholders as needed.
https://support.logmeininc.com/lastpass/help/generate-enterprise-reports-lp010040
Can run security audit on your own account or your users' account. - Reporting types
-
- API access
- Real-time dashboards
- Regular reports
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- None
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
-
- United Kingdom
- European Economic Area (EEA)
- Other locations
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
-
- Physical access control, complying with another standard
- Encryption of all physical media
- Scale, obfuscating techniques, or data storage sharding
- Other
- Other data at rest protection approach
- The LastPass browser extension or mobile application utilizes PBKDF2 with SHA-256 to derive a unique encryption key from user's master password. This encryption key remains on the user's device and is used to encrypt vault data with the AES-256 algorithm. On Windows devices, Windows CryptoAPIs are used to add an extra layer of protection. The encrypted vault is transmitted over TLS to LastPass, and stored server-side in this encrypted state. This locally encrypted vault is cached on the user's device, enabling offline access if needed. Other user information (e.g. phone# for SMS account recovery) is encrypted server-side using a HSM.
- Data sanitisation process
- Yes
- Data sanitisation type
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
-
You can export your LastPass Vault data (including passwords, secure notes, form fills, Wi-Fi passwords, etc.) as a CSV or XML file, then print your data if you'd like to keep a copy for your own records. If you have set up Vault identities, you can export data for all or individual identities.
Even if LastPass has been uninstalled from your computer, a locally cached and encrypted copy of your data is stored by default when you use the LastPass web browser extension and/or mobile apps, as long as your LastPass cache hasn't been cleared since your last login session. - Data export formats
-
- CSV
- Other
- Other data export formats
-
- Through our API
- .XML
- Data import formats
-
- CSV
- Other
- Other data import formats
-
- XML files
- https://support.logmeininc.com/lastpass/help/import-passwords-from-other-sources-lp040003
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- TLS (version 1.2 or above)
- Other
- Other protection between networks
-
LastPass encrypts user data with the trusted algorithm Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC) mode with a 256-bit key generated from each user’s master password.
LastPass supports up to TLS 1.2 (or above, if supported by the customer) for secure data transfer even though the vast majority of user data is already
encrypted with AES-256. This protocol protects the data from any party listening in to the network traffic.
TLS ensures that the user is connecting directly to LastPass to protect against man-in-the-middle attacks.
https://enterprise.lastpass.com/wp-content/uploads/LastPass-Technical-Whitepaper-3.pdf - Data protection within supplier network
-
- TLS (version 1.2 or above)
- Other
- Other protection within supplier network
-
LastPass encrypts user data with the trusted algorithm Advanced Encryption Standard (AES) in Cipher
Block Chaining (CBC) mode with a 256-bit key generated from each user’s master password.
LastPass uses TLS 1.2 exclusively for secure data transfer even though the vast majority of user data is already
encrypted with AES-256. This protocol protects the data from any party listening in to the network traffic.
TLS ensures that the user is connecting directly to LastPass to protect against man-in-the-middle attacks.
https://enterprise.lastpass.com/wp-content/uploads/LastPass-Technical-Whitepaper-3.pdf
Availability and resilience
- Guaranteed availability
- GoTo strives for high redundancy and availability of our services and infrastructure. Publicly available status updates are available at: https://status.lastpass.com/. Service Level Agreements are mutually agreed upon and covered in the Terms of Service and/or written agreement for the GoTo services with our customers.
- Approach to resilience
-
LastPass operates, based on data residency preference in: fully redundant, active-passive datacenters in the United States or Europe; or world-class cloud hosting provider data centers in Australia or Singapore. LastPass Password Manager and LastPass SSO functionalities are separated in distinct data centers. Each datacenter is capable of handling all user traffic.
All user data is stored in a redundant manner with automatic disaster recovery and failover using multiple datacenters.
LastPass backs-up Customer Content within the same datacenter in 24-hour and seven-day intervals. In addition, a corresponding back-up is made in a geographically distant datacenter every seven days and is retained for four weeks.
To ensure the safety of your data the LastPass SSO database leverages 7-day point-in-time restore (PITR) capability. Additionally, Long-Term Retention (LTR) backup will keep the first backup of a week for four weeks and the first backup of each month for three months as an additional safety feature.
If enabled, a secure, encrypted, local copy of a user’s vault is stored automatically when a user connects to LastPass via a browser extension or mobile application. This cached version is designed to allow the user offline access to their data and vault when no internet connection is available. - Outage reporting
- A public dashboard available at status page. Status updates can be provided via phone, e-mail, RSS Feed, etc. through the Trust Center webpage.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Identity federation with existing provider (for example Google Apps)
- Username or password
- Other
- Other user authentication
-
User name and password in combination with 2-factor authentication options:
LastPass Authenticator
Google Authenticator
Microsoft Authenticator
Toopher Authentication (no longer available for new users)
Duo Security Authentication
Transakt Authentication
Grid Multifactor Authentication
YubiKey Multifactor Authentication
Fingerprint Authentication
Smart Card Authentication
Sesame Multifactor Authentication
RSA SecurID Multifactor Authentication
Symantec VIP
SecureAuth Authentication
https://support.logmeininc.com/lastpass#Supported
Identity federation with AD FS
https://support.logmeininc.com/lastpass/help/federated-login-experience-for-lastpass-enterprise-users-lp010056 - Access restrictions in management interfaces and support channels
- Logical Access Control procedures are in place, designed to prevent or mitigate the thread of unauthorized application access and data loss in corporate and production environments. Employees are granted minimum (or "least privilege") access to specified LastPass systems, applications, networks and devices as needed. Further, user privileges are segregated based on functional role and environment. Users shall only be provided with access to the network and services that they have been specifically authorized to use.
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
-
- 2-factor authentication
- Identity federation with existing provider (for example Google Apps)
- Dedicated link (for example VPN)
- Username or password
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- No audit information available
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- No
- Cyber essentials plus
- No
- Other security certifications
- Yes
- Any other security certifications
-
- AICPA SOC2 Type II
- BSI C5
- SOC 3
- EU-U.S. and Swiss Privacy Shield Certified
- TRUSTe Verified Privacy
- APEC CBPR and PRP Certification
- In the process of being ISO 27001:2013 certified
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- Other
- Other security governance standards
-
SOC2 Type II, SOC 3
BSI C5
EU-U.S. and Swiss Privacy Shield Certified
TRUSTe Verified Privacy
APEC CBPR and PRP Certification
LastPass is in the process of being ISO certified this year (2022) For additional certifications, please visit the Product Resources page of our Trust & Privacy Center at www.goto.com/trust - Information security policies and processes
-
An Information Security Policy has been established at GoTo and assist in defining the role of technology and management at our organization. It is aligned to ISO27001:2013.
At least annually, applicable policies are reviewed by management to ensure that any procedures or standards are updated in accordance with contractual and legal commitments and company requirements/standards. In order to ensure the confidentiality, integrity, and availability of GoTo Information and IT systems we do not send customers these documents.
Security Policies are relayed to employees at the time of hire and available in the Employee Handbook. They are also communicated to all Global Employees on a regular basis. Additionally, they are hosted on our internal site. GoTo employees and temporary workers are informed on a continuous basis, as determined by the company, about security and privacy guidelines, procedures, policies and standards through various mediums of communication such as awareness campaigns, new hire on-boarding kits, webinars with the CISO, annual policy compliance, security training targeting specific roles (such as software developers), security champion programs, as well as visual media campaigns.
Please reference our Trust Center for further details: https://www.goto.com/company/trust
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- A Change Management Policy has been developed in accordance with relevant commitments and requirements detailing the procedures for infrastructure and development changes, including design, implementation, configuration, testing, modification, and maintenance of systems, Further, processes and procedures are in place in order to verify that changes have been authorized, approved and tested before being applied to a production environment. Policies are in place to provide guidance for the management, modification, and implementation of system changes to infrastructure and supporting applications.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- Internal and external system and network vulnerability scanning is conducted quarterly. Dynamic and static application vulnerability testing, as well as penetration testing activities for targeted environments, are also performed periodically. These scanning and testing results are reported into network monitoring tools and, where appropriate and predicated on the criticality of any identified vulnerabilities, remediation action is taken. Vulnerabilities are also communicated and managed with monthly and quarterly reports provided to the relevant development teams, as well as management.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
-
GoTo collects identified anomalous or suspicious traffic into relevant security logs in applicable production systems. They are received/reviewed by our NOC team, who respond immediately.
GoTo incorporates vulnerability management and intrusion detection programs into its production and corporate IT environments, as well as perimeter devices designed to protect the network from external attacks. GoTo regularly reviews relevant risks that may threaten the achievement of service commitments and updates to existing control activities and infosec policies are performed as deemed needed. The system is architectured to be able to identify, respond to and recover from potential availability events or security incidents. - Incident management type
- Supplier-defined controls
- Incident management approach
-
Our SOC is responsible for detecting and responding to security events using security sensors and analysis systems to identify potential issues.
The Incident Response Plan has been developed to include appropriate security incident response process and is aligned with GoTo's communication and information security incident management polices and procedures. It is designed to manage, identify, and resolve relevant suspected, and/or identified security events across its systems and Services. Personnel are in place to identify, document, escalate, and triage potential information security-related events
and vulnerabilities, based on criticality, as well as escalate relevant events to management, where appropriate.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- No
Social Value
- Fighting climate change
-
Fighting climate change
At GoTo, we are fully committed to committed to maintaining carbon neutrality and building sustainable practices for both our offices as well the thousands of home offices our employees work out of as a part of our remote-centric organization. GoTo's Corporate Social Responsibility program, GoTo Gives, unlocks its people, products, and culture to create long-term, sustainable social and environmental impact that positively affects change in the world. To lessen our overall impact on the environment, we’re engaging boldly in sustainability activities that include:We procure 100% renewable electricity for our global operations by purchasing Green-e certified renewable energy credits (RECs) to match our global electricity usageWe contract with data centers powered by renewable energy, have high energy efficiency standards, an A rating by GreenpeaceResponsibly managing and disposing of our electronic waste and using our recycling credits to support organizations partnered with GoTo GivesCreating office environments that promote conservation through water efficiency, source reduction, recycling, composting and the use of sustainable productsEngaging in sustainable procurement practices when possibleFostering employee awareness and active participation in sustainability efforts through communications, campaigns and best practicesOur portfolio of products, solutions and services also help our users reduce their own environmental impact by enabling them to work and collaborate from anywhere and engage with each other and the world around them to drive meaningful insights, deeper relationships and better outcomes for all. To learn more, visit https://www.goto.com/company/corporate-responsibility For our Social & Environmental Responsibility Principles, please log on tohttps://www.goto.com/-/media/pdfs/legal/finalgotosocialandenvironmentalresponsibilityprinciples12522pdf.pdf - Tackling economic inequality
-
Tackling economic inequality
Further details can be found at: https://www.goto.com/company/corporate-responsibility - Equal opportunity
-
Equal opportunity
Culture is both the foundation and glue of GoTo that holds the company together across teams, geographies and timezones. Just as GoTo works to deliver connectivity and collaboration for our customers, we apply that same focus internally, emphasizing the importance of human connection and meaningful relationships to ensure all feel engaged, valued and motivated. It's our mission to create a workforce where everyone feels empowered to bring their full selves to work. We know that when our employees are thriving, they’re doing the best work of their lives and we recognize that thought leadership, community building, knowledge sharing, and personal development are key aspects to building an inclusive workforce.
Our Employee Resource Groups (ERGs), a cornerstone of our employee engagement programs, seek to bring increased focus to the importance of growing our diversity and inclusion initiatives, fostering an inclusive work environment and community service to all employees. Employee run ERGs at GoTo include a women’s leadership group, a group for the LGBTQ+ community and their allies, a group for Black Employees and friends with a mission is to promote diversity, celebrate our intersecting identities, and bring to life the vision of inclusive excellence, an ERG for employees of Pan-Asian and/or Pacific Islander descent and friends - the mission is to embrace our cultural differences and foster an environment of education, humanitarianism, and empowerment; a quarterly book club, gardening club, photography club, run club, and more. Through the GoTo Corporate Social Responsibility program, Mission Possible, employees are given 16 hours a year to volunteer within our local communities.
From fostering an energetic atmosphere, to providing professionally challenging opportunities and stimulating day-to-day experiences, GoTo has focused on building an exceptional culture and work environment to ensure employees have everything they need to thrive, both on the clock and off. - Wellbeing
-
Wellbeing
Faced with the ongoing and dynamic global pandemic, GoTo has doubled-down on employee health and safety. Our workforce is now remote-centric, so we have reimagined our support in this area. Thrive, GoTo’s corporate wellness program, emphasizes the mental and physical well-being of employees, providing support and building resilience during these challenging times. Our monthly Self Care Days allow employees the opportunity to recharge, spend time with family, or take up new hobbies. Giving back is a key ingredient to employee wellbeing. GoTo Gives is the vehicle through which we fulfill our mission to create a more sustainable world by connecting the next generation workforce to the power of possibilities. Our three impact areas are: Education & Youth, Environmental Stewardship, and Community Action. Through financial support and direct service, GoTo employees lead with purpose. For this, employees are given 16 hours a year to volunteer within our local communities.
Pricing
- Price
- £42.84 a licence a year
- Discount for educational organisations
- Yes
- Free trial available
- Yes
- Description of free trial
-
Free features:
Secure password vault
Access on all devices
One-to-one sharing
Save and fill passwords
Password generator
Secure notes
Security challenge
Multi-factor authentication
LastPass Authenticator
30 Day Free Trial - Link to free trial
- https://www.lastpass.com/password-manager