LastPass Update: Roadmap and Recent Developments, 2H 2025
LastPass has been busy adding new features and enhancing current ones. This note serves as a follow-up to our analyst briefing in October 2024 and the subsequent note from November 2024. Since then, LastPass has made notable progress in executing its roadmap, with a particular emphasis on enhancing password management capabilities, expanding into SaaS identity security, and refining user experiences across various customer segments. Through advisory discussions and other industry observations, I see growing demand for tools that address both traditional credential management and emerging risks like shadow IT. This note highlights key updates from our July briefing, focusing on new releases such as passkey advancements and SaaS Identity Security offerings, while also touching on other relevant initiatives.
LastPass has achieved several milestones since our last engagement, demonstrating a commitment to operational improvements and customer-focused product innovations. The company has transformed its development operations and security infrastructure, leading to enhanced efficiency and reliability. Customer and brand sentiment have also improved markedly, as evidenced by metrics shared that reflect greater trust and satisfaction. For instance, gross revenue retention has surpassed pre-2022 levels, indicating that customers are staying with the platform longer and deriving more value from it – good news and validation that the restructuring is working. This retention boost aligns with broader trends I see in client conversations, where organizations prioritize vendors that deliver consistent performance amid economic pressures.
A key indicator of these improvements is the high customer satisfaction (CSAT) score, now exceeding 80. This score represents a substantial uplift from prior benchmarks that stems from targeted investments in areas like onboarding, account recovery, and the overall admin and vault interfaces. In practical terms, these enhancements mean that new users can get up to speed faster, with fewer friction points that often lead to abandonment in password management tools. The onboarding process has been streamlined to guide users through initial setup more intuitively, while account recovery options have been expanded to include more secure and user-friendly methods. Similarly, the admin console and vault experience have been simplified, reducing the cognitive load on administrators who manage credentials for teams. These changes have directly contributed to a 40% reduction in time to first value, allowing organizations to realize benefits from the tool more quickly. From my advisory perspective, such metrics are critical because they correlate with long-term adoption rates, especially in environments where IT resources are typically stretched thin.
To contextualize the pace of innovation, LastPass shipped over 100 product releases in the last six months, marking a 33% increase compared to previous periods. This acceleration is attributed to optimized product and engineering processes, which have enabled faster iteration without compromising quality. Among these releases are major initiatives that build on the company’s core strengths while expanding its scope.
The following table summarizes the key initiatives launched in the past year:
|
Initiative |
Description |
|---|---|
|
New Business Max SKU |
Major new plan offering for business customers, which will include both SaaS Monitoring and SaaS Protect features (below), among others |
|
SaaS Monitoring (GA) |
SaaS monitoring tools officially launched (GA) |
|
SaaS Protect (GA) |
SaaS policy enforcement and credential hygiene (GA) |
|
Strategic Alliances |
Partnerships with Drata and Stellar Cyber announced |
|
Increased Product Releases |
Over 100 releases shipped, a 33% increase |
These initiatives underscore LastPass’s strategy to evolve from a pure password manager into a broader secure access vendor. The strategic alliances with Drata and Stellar Cyber are particularly significant in this regard. By partnering with Drata, a compliance automation platform, LastPass can integrate its credential management with tools that help organizations maintain regulatory adherence, such as SOC 2 or HIPAA. This integration allows for seamless data flows between systems, enabling automated audits of access controls. Similarly, the alliance with Stellar Cyber, an extended detection and response (XDR) provider, enhances threat detection by combining LastPass’s identity insights with network-level analytics. These partnerships extend the value of LastPass beyond standalone use, fitting into customers’ existing security ecosystems. Although specific technical details on integrations were not covered in depth during the briefing, the intent is clear: to provide comprehensive support for security and compliance needs. In my experience, such ecosystem plays are essential for reducing tool sprawl and improving operational efficiency.
One standout release is the new Business Max SKU, which represents the premium tier in LastPass’s revised pricing and packaging model. This model adopts a “good, better, best” structure to simplify decision-making for buyers, allowing organizations to select based on their size, industry, and requirements. Business Max is tailored for regulated small and midsized businesses (SMBs), including those in financial services and healthcare, as well as midsized commercial entities and lean IT teams needing advanced controls. It includes SaaS Monitoring as a core feature, alongside unlimited single sign-on (SSO) and advanced multifactor authentication (MFA). This SKU supports the company’s shift toward a platform-oriented approach, where customers can start with basic needs and scale by adding capabilities. The design encourages self-selection, which aligns with product-led growth principles and reduces sales friction. For organizations I frequently work with, this modularity is appealing because it accommodates growth without forcing overprovisioning upfront.
Source: LastPass, Analyst Briefing (2025)
Looking ahead, LastPass has outlined five pillars of focus that guide its roadmap. These include improving user experience through ongoing interface refinements, expanding into SaaS and identity security with features like enhanced monitoring and protection, supporting managed service providers (MSPs) via dedicated tools, accelerating product-led growth to drive organic adoption, and delivering on security investments, such as bolstering infrastructure resilience. These pillars reflect a holistic strategy that balances immediate customer needs with long-term innovation.
A notable update for MSPs is the redesigned admin console, which prioritizes simplicity and usability, something that is always welcome and reduces manual error while improving efficiency. The console now features clearer billing breakdowns, intuitive navigation paths, and new executive summary reports that enable MSPs to showcase value to their clients effectively. By recognizing that MSPs juggle multiple tools, LastPass has aimed to make its platform the easiest to deploy, manage, and scale. Additional work on integrations with other MSP stack components further minimizes operational friction. In advisory discussions with MSP clients worldwide, I often hear about the challenges of fragmented tooling, so these enhancements position LastPass as a viable option in that space.
Customer and brand sentiment improvements tie directly into these efforts. Through focused work on onboarding, account recovery, and admin/vault simplification, LastPass has elevated its CSAT score above 80 and cut time to first value by 40%. These gains result from investments in product quality, strategic partnerships, and customer experience initiatives, fostering greater loyalty.
Source: LastPass, Analyst Briefing (2025)
On the passkey front, LastPass’s enterprise strategy for passkeys and FIDO2 remains measured, prioritizing consumer use cases while monitoring industry standards for business applications. Adoption in enterprise settings has been slow due to gaps in features like employee provisioning, deprovisioning, revocation, and credential sharing. Internal FIDO2 community debates about B2B versus individual-centric models add complexity. As a FIDO2 alliance member, LastPass is tracking developments closely and plans to act as a fast follower once standards mature. Currently, support allows employees to use passkeys at work, but advanced enterprise features await further evolution. This cautious approach makes sense given the regulatory and operational hurdles I encounter, but I encourage organizations to forge ahead with defined and supported phishing-resistant MFA use cases.
Source: LastPass, Analyst Briefing (2025)
SaaS Monitoring, now generally available, addresses key pain points for IT teams grappling with shadow IT and AI-driven risks. Developed in response to rising security threats and costs from unsanctioned apps, it leverages the existing LastPass browser extension for agentless implementation, avoiding the need for new deployments. This setup provides visibility into app usage, helping organizations identify risky or redundant tools, optimize licenses, and enforce controls. Targeted at small businesses and mid-market firms with limited IT staff, it offers access reporting rather than full SaaS security posture management (SSPM) capabilities. Customer feedback seems positive for the extension-based model due to its low overhead, contrasting with the resistance often seen with desktop agents or mandated secure browsers.
Source: LastPass, Analyst Briefing (2025)
SaaS Protect went live in summer 2025 and introduces usage rules that empower admins to set policies for individual apps: block, warn, or allow. These policies are configured in the admin console and enforced via the browser extension, displaying banners or modals to guide user behavior. Custom messaging can be tailored for warnings or blocks, promoting sanctioned apps while addressing compliance and cost issues. No extra software is needed, making activation straightforward.
The SaaS Monitoring alerts have been revamped with SaaS Protect, notifying admins of new app detections or insecure access. For example, weak and reused passwords will generate alerts, and alerts for breached and expired passwords and those without MFA will also be included before the end of 2025. This proactive system supports a hands-off management style, with notifications delivered outside the console for efficiency. The aim is to infuse intelligence into risk management, allowing admins to respond swiftly without constant oversight.
Enforcement of SaaS Protect policies relies on the browser extension as the key mechanism. Admins select policies per app, and the extension intervenes at access attempts, ensuring compliance without additional agents. Device management tools like Microsoft Intune handle extension deployment, with LastPass providing supporting documentation.
LastPass’s management philosophy emphasizes simplicity, acknowledging that admins often lack deep technical expertise and may hold roles like small business owners or executives. The platform avoids complex requirements, focusing on intuitive experiences for both admins and end users. Investments in mobile apps and vaults continue to modernize interactions. The main audience comprises SMBs and mid-market organizations, plus MSPs serving them, offering scalability as needs grow.
A forthcoming granular “allow” policy, planned for 2026 release, will require LastPass-stored passwords for sanctioned app access, enforcing hygiene standards. Future iterations may tie access to directory groups, enhancing control.
Regarding session recording, LastPass has researched it for privileged access management but lacks committed plans, starting instead with basic conditional access and gauging demand.
Single sign-on capabilities position LastPass as a service provider compatible with IdPs like Microsoft Entra, Okta, Ping, and others. It supports OIDC for authentication and provisioning, integrating with compliance policies to enforce device trust.
SCIM-based provisioning treats the primary directory as the source of truth, syncing user changes to LastPass via OIDC and SCIM. Deprovisioning occurs automatically upon directory removal, with options for bi-directional sync and Intune integration for added security.
Our Take
This analyst briefing underscores LastPass’s momentum in transitioning to a more comprehensive security provider, with SaaS Monitoring and Protect addressing critical visibility and control gaps. The passkey strategy, while deliberate, aligns with industry maturation, and overall metrics like high CSAT and retention signal restored confidence. These developments position LastPass well for SMBs and MSPs facing resource constraints.
In closing, organizations should consider LastPass for its ease of integration and focus on practical security enhancements. As standards evolve, its roadmap promises further value, making it a solid choice in crowded markets.