LastPass has been a fixture in the business password management market for well over a decade. It is the tool many UK teams reached for first, often because someone in IT already used the free tier personally and pushed it upwards into the organisation. That familiarity counts for something. But after the 2022 security breach — one of the most publicised incidents in the password manager space — plenty of IT managers are asking whether LastPass still deserves a place in a professional environment. This review answers that question directly, based on hands-on use of the Business tier and a clear-eyed look at what the breach actually meant for real-world customers.
Teams vs Business: Which Tier Do You Actually Need?
LastPass offers two main commercial tiers: Teams and Business. The naming is slightly misleading because both are aimed at organisations, but the capabilities diverge significantly once you move past basic vault management.
LastPass Teams is priced at approximately £3.50 per user per month (billed annually) and is designed for smaller organisations — typically up to 50 users. You get shared folders, the admin console, MFA options, and the core password vault. What you do not get is SAML-based SSO, advanced directory integration, or the full policy engine. For a five-person consultancy or a small retail operation with a shared set of supplier logins, Teams is perfectly sufficient and avoids paying for features you will never configure.
LastPass Business sits at approximately £6.00 per user per month (billed annually) and is where the product earns its enterprise credentials. The headline additions are SAML SSO for cloud applications, Active Directory and LDAP sync, advanced multi-factor policies, detailed reporting, and a significantly expanded policy library. Importantly, Business tier also includes three SSO app integrations in the base price, with additional apps available as an add-on. If your organisation has more than around 25 users, uses Azure AD or Okta, or needs to demonstrate access controls for a compliance framework such as ISO 27001, Business is the tier to budget for.
There is also a Business + Advanced SSO add-on that unlocks unlimited SSO app integrations, and a Business + Advanced MFA add-on that brings in contextual authentication policies and offline MFA for workstations. Both are worth considering for organisations in regulated sectors.
The Admin Console: What You Can Actually Do With It
The LastPass admin console is accessed via a separate web portal from the standard vault. This separation is sensible from a security architecture standpoint — admin credentials and end-user credentials live in different contexts. The interface is clean, if occasionally dense, and most of the important functions are accessible within two or three clicks.
User Management
Provisioning is handled either manually (invite by email), via CSV import, or — on Business tier — through Active Directory sync using the LastPass AD Connector, or via SCIM provisioning with identity providers including Azure AD, Okta, and OneLogin. For most UK businesses already running Microsoft 365 with Azure AD, the SCIM integration is the right approach. Users are created, updated, and deprovisioned automatically when you manage them in Entra ID, which removes the risk of orphaned accounts lingering after an employee leaves.
The user list view shows each account’s MFA status, last login date, vault security score, and whether they have accepted their invitation. This last point matters more than it sounds — a common audit finding is users who were invited to a password manager but never actually activated their account, leaving shared credentials in an unmanaged state.
Offboarding deserves a specific mention. When you deactivate a user, LastPass gives you the option to transfer their vault items to another admin before removing access. This is genuinely useful for small teams where a departing employee may have been the only person with certain credentials stored privately rather than in a shared folder.
Shared Folders
Shared folders are the primary mechanism for distributing credentials across a team. You can create folders by department, function, or project, and assign users or groups to each with either read-only or full access permissions. Users with read-only access can use a credential to autofill a login but cannot view the underlying password — a useful distinction when you want to give a contractor access to a system without handing over the actual secret.
Folder management becomes cleaner on Business tier because you can assign Groups rather than individual users. Groups can be synchronised from your directory, which means folder membership tracks your org chart automatically. This is one of those features that sounds minor but saves a meaningful amount of administrative overhead in organisations with any level of staff turnover.
Security Dashboard
The security dashboard aggregates individual vault security scores across your organisation. You can see the percentage of weak passwords, reused passwords, old passwords, and accounts with no MFA enabled, broken down by user. The dashboard does not tell you which specific passwords are weak — that detail remains inside the individual’s encrypted vault — but it surfaces enough to prioritise remediation conversations.
There is also a Dark Web Monitoring section that alerts on email addresses associated with known breach data. For Business tier, this monitoring applies to all enrolled email addresses in the organisation, not just the admin account.
Policy Engine
The policy library is where LastPass Business justifies its price premium over Teams. Policies govern everything from password complexity requirements to session timeout rules, permitted countries for login, master password iteration count, and whether users are permitted to disable MFA on trusted devices. You apply policies at the group level, which means you can enforce stricter controls on your finance team than on your marketing team if the risk profile warrants it.
Notable policies for compliance-focused organisations include the ability to require MFA for every login regardless of device trust, disable password export, restrict mobile app access, and enforce re-authentication after a defined idle period. None of these are exotic requirements — they appear regularly in Cyber Essentials Plus assessments and ISO 27001 audits — and having them available in a GUI without writing custom scripts is a genuine advantage.
SSO and MFA: The Security Layer That Actually Matters
SAML SSO
LastPass Business supports SAML 2.0-based SSO, which allows users to authenticate to supported cloud applications — Microsoft 365, Salesforce, Slack, and dozens of others — using their LastPass identity as the identity provider, or by federating with an upstream IdP such as Azure AD. In practice, most UK businesses will use Azure AD as the primary IdP and connect LastPass as a downstream service, so that your existing Entra ID identity governance applies to LastPass access.
The SSO integration catalogue covers the applications most common in UK SMB environments. The configuration process is documented and straightforward for standard apps, though you will want someone with basic SAML knowledge available for custom integrations — it is not a zero-configuration experience.
Multi-Factor Authentication Options
LastPass supports a broad range of MFA methods, which is one of its genuine strengths relative to some competitors. The options available on Business tier include:
- LastPass Authenticator — the native TOTP and push-approval app, available for iOS and Android
- Microsoft Authenticator — integrates directly, useful for organisations already running Microsoft MFA for 365
- Duo Security — a popular enterprise choice that supports push, SMS, phone call, and hardware token methods via the Duo platform
- YubiKey hardware keys — support for YubiKey OTP is built in; for FIDO2/WebAuthn support you need the Advanced MFA add-on
- Google Authenticator and other TOTP-compatible apps
- Grid authentication and Sesame (USB-based) for legacy use cases
The YubiKey hardware token integration is worth highlighting for high-risk roles. Having a physical second factor that cannot be phished via a fake login page is a meaningful security upgrade for finance, HR, or executive users who are common targets for credential theft. LastPass’s YubiKey OTP support is well-established and works reliably in testing.
MFA policy enforcement — requiring specific methods, setting trusted device windows, mandating re-authentication — is managed through the policy engine described above. The combination of granular policy control and broad MFA compatibility is one of the areas where LastPass competes effectively with more expensive enterprise tools.
Password Sharing and Emergency Access
For business use, shared folders are the recommended mechanism for credential sharing rather than individual one-to-one sharing. This keeps access auditable and manageable at scale. However, LastPass does retain individual password sharing for situations where you need to pass a credential to a specific person without adding them to a full shared folder.
When sharing individually, you can choose whether the recipient can see the password or only use it for autofill. Share expiry is not a native feature for individual shares, so if you share a credential with a contractor, you need to remember to revoke it manually when the engagement ends. Shared folders handle this more gracefully via group membership.
Emergency Access is a consumer-tier feature that allows a designated contact to request access to your vault after a waiting period if you are incapacitated. This feature is not available on Business tier, which is a reasonable design choice — the equivalent in a business context is handled through admin vault transfer on offboarding and through documented break-glass procedures rather than personal emergency contacts.
The 2022 Breach: An Honest Assessment
LastPass suffered a significant security incident in August 2022, with further details emerging through November and December of the same year. This needs to be addressed directly because it is the most important factor in any honest evaluation of the product.
What was taken: Attackers accessed a cloud storage backup that contained encrypted vault data for LastPass customers. This means encrypted copies of stored usernames, passwords, secure notes, and form-fill data were exfiltrated. Alongside the encrypted vault data, unencrypted metadata was also taken — this included website URLs, the names of vault items, the user’s email address, and billing information. The encryption keys for the vault contents themselves were not stored by LastPass and were not taken, because LastPass operates a zero-knowledge architecture where the master password never leaves the user’s device.
What was not taken: The master passwords that would be needed to decrypt vault contents. LastPass does not have these and they were not in the stolen backup.
What this means in practice: If your master password was strong — long, unique, not reused anywhere — your vault contents remain encrypted and practically inaccessible to an attacker even with the stolen backup. The real risk applied to users with weak or reused master passwords, particularly given that the stolen URL metadata tells an attacker exactly which sites to target with a decryption attempt.
What LastPass changed: Following the breach, LastPass significantly increased the default PBKDF2 iteration count for master password hashing (from 5,000 to 600,000 iterations), which dramatically increases the computational cost of brute-force attacks against stolen vault data. They also improved their secrets management infrastructure, separated development and production environments more rigorously, and published a more detailed post-incident disclosure than many organisations in comparable situations.
Should UK businesses still trust LastPass? The considered verdict is yes, provided you enforce MFA and set a strong master password policy. The breach was serious and LastPass’s initial communication was not as clear as it should have been. But the underlying zero-knowledge architecture behaved as designed — encrypted vaults remained encrypted. The lesson is not “stop using LastPass” but “use it correctly”: enforce long, unique master passwords through policy, require MFA on every login, and turn off trusted device exceptions for high-risk users. Done this way, the residual risk from the 2022 incident is manageable. For comparison purposes, see how LastPass stacks up against its main alternative in our LastPass vs 1Password Business comparison.
It is also worth noting that no password manager, cloud service, or SaaS tool operates with zero breach risk. The relevant question is whether the vendor’s architecture, response, and post-incident improvements give you sufficient confidence. LastPass’s architecture held under real-world attack conditions. That is a meaningful data point.
Pricing Summary (GBP, as of 2026)
- Teams: approximately £3.50 per user per month (billed annually) — up to 50 users
- Business: approximately £6.00 per user per month (billed annually) — unlimited users
- Business + Advanced SSO: additional approximately £2.00 per user per month
- Business + Advanced MFA: additional approximately £2.00 per user per month
Pricing is listed in USD on the LastPass website and converted at the prevailing rate. UK businesses purchasing via a reseller or through a Microsoft partner channel may see slightly different pricing. All tiers include a free trial period.
Who LastPass Business Is Right For
LastPass Business makes the most sense for organisations that already have it in use and are evaluating whether to standardise on it, or for teams that need a well-integrated, policy-driven password manager with strong MFA support and a straightforward admin experience. The Active Directory and Azure AD integration is mature and works reliably in Microsoft-first environments, which covers the majority of UK SMBs.
It is also a reasonable choice for organisations working towards Cyber Essentials Plus or ISO 27001 certification — the policy engine and audit logging give you the documentation evidence you need, and the MFA options cover the technical controls required. See our guide on password managers and ISO 27001 compliance for more detail on what auditors typically look for.
Where LastPass is less compelling is for organisations starting fresh with no existing investment in the platform and a strong preference to avoid any product with a breach history. In that scenario, 1Password Business is the most natural alternative — comparable features, stronger post-breach reputation. But for teams already using LastPass and managing it properly, switching has a meaningful cost and a limited security benefit if current best practices are in place.
Where It Falls Short
The mobile experience, while functional, lags behind the browser extension in terms of reliability and autofill accuracy — a common complaint and one that has not been fully resolved despite several major app updates. The SSO application catalogue, while broad, requires the paid add-on to go beyond three integrations, which feels like a feature that should be included in the Business base price. Customer support response times for non-enterprise accounts can also be slow.
The breach, and specifically LastPass’s delayed and initially vague disclosure, damaged trust with security-conscious buyers in a way that pricing changes or product updates cannot fully repair. That is a legitimate concern and worth weighing honestly.
Verdict
LastPass Business remains a solid, capable password manager for UK teams. The admin tooling is mature, the MFA options are genuinely comprehensive, and the Azure AD integration works well in practice. The 2022 breach is a real mark against the product — not because the architecture failed, but because it happened at all and because the communication around it was poor. The honest answer is that it should not disqualify LastPass from consideration, but it should make you more rigorous about enforcing MFA and strong master password policies than you might otherwise be.
For businesses already using LastPass and happy with it: stay, enforce MFA, and use the policy engine properly. For businesses choosing a password manager for the first time: LastPass is a credible choice, but look at all the leading options before committing. For businesses where reputational risk from a vendor breach is a board-level concern: 1Password is the more defensible choice on that specific dimension.
