ZDNET’s key takeaways:
- The LastPass plug-in can now prevent access to unapproved SaaS apps.
- Feature extends plug-in’s monitoring of SaaS access attempts.
- Passkey authentication coming by month’s end — not yet supported.
Earlier this year, LastPass announced it was adding the ability for administrators of its password management solution to monitor employee usage of SaaS or web-based applications. Today at the Black Hat security conference in Las Vegas, the company announced it has extended those monitoring capabilities so administrators can set policies that warn or obstruct users during attempts to authenticate with unapproved SaaS applications.
The new SaaS Identity and Access Management (SaaS IAM) capabilities will be available by the end of the month to customers of LastPass’s Business Max tier (currently $9 per user per month) at no additional cost. The Business Max tier already includes the monitoring capabilities.
According to LastPass chief product officer Don MacLennan, the new SaaS app access management capability makes it possible for LastPass administrators to allow, warn, or block users from accessing certain SaaS apps. Accurate detections of SaaS app access attempts are based on the presence of the LastPass password management browser plug-in, regardless of which web browser the end user is using.
Also: The best password generators of 2025: Expert tested
Password management plug-ins (from LastPass as well as other password management solution providers) are typically afforded some of the most far-reaching permissions once they’re installed in a browser. They can not only inspect the content of any web page that users visit in their browsers; plug-ins can also alter the appearance of web pages and essentially take over the entire user experience.
MacLennan told ZDNET that when users need to be warned or blocked from using a SaaS app, the plug-in can present a customizable modal dialog that offers the user more details about the status of their attempt. Today that dialog can be programmed with basic text (web links need to be rendered as regular URLs), but the company might consider HTML formatting options in the future.
“It’s a 1.0 version of a set of capabilities that will deepen over time,” MacLennan told ZDNET, responding to a question about the possibility of using whitelists to allow application access.
Today, the LastPass “SaaS Protect” solution keeps track of the apps it discovers as employees attempt to authenticate with those apps, and administrators can set a policy moving forward to allow, warn, or block during future attempts on a per-employee basis. Moving forward, MacLennan anticipates that the articulation of policies by work group based on the organization’s usage of directory services such as Microsoft Entra ID, Okta, Google Workspace, and others will be possible.
“In time, we’ll have more capabilities,” MacLennan told ZDNET. “Administrators will be able to refine the criteria that defines what’s allowed. Maybe one group in the company should be allowed to login to a SaaS app, but not another. We’ll keep refining the precision by which these block and allow policies manifest.”
Also: How passkeys work: Your passwordless journey begins here
It’s important to note that the SaaS Protect feature triggers off an end user’s authentication attempt, and not just an attempt to access a particular website. LastPass’s plug-in currently monitors four types of authentication: single sign-on (SSO), “Vaulted,” “Non-Vaulted,” and passkey-based authentications.
While passkey-based authentications can be detected (for example, if the end user authenticates with a passkey that’s managed by the browser), the LastPass plug-in itself doesn’t yet support passkey-based authentication. That capability is currently in beta and expected to launch by the end of the month.
A vaulted authentication happens when the user attempts to authenticate with credentials that are kept in LastPass’s secure credential container — referred to as a “vault.” A non-vaulted authentication happens when the user authenticates to some website using credentials that aren’t managed with the LastPass password manager plug-in.
Also: How to sync passkeys in Chrome across your Android, iPhone, Mac, or PC (and why you should)
Since the LastPass browser plug-in has all-seeing, all-knowing knowledge of the sites that a user is logging into, it also knows when the credentials are coming from its vault and when they’re not.
But MacLennan also noted the need for organizations to practice airtight device management. For example, users should not be able to install their own choice of browser in a way that could avoid the watchful eye of LastPass’s password management plug-in.
Stay ahead of security news with Tech Today, delivered to your inbox every morning.
