Following a series of planned security upgrades, thousands of LastPass users have been locked out of their accounts since May after the service required them to reset their authenticator apps.
As reported by BleepingComputer, the company announced earlier this year that users of its password manager would need to re-login to their accounts and reset their multifactor authentication (MFA) preference.
While this sounded simple enough on paper, many LastPass users have since been locked out of their accounts and unable to access their LastPass vaults as a result. This occurred even after they successfully reset LastPass Authenticator, Microsoft Authenticator, Google Authenticator or whatever MFA application they chose to use with the password manager.
To make matters worse though, LastPass customers that have been locked out of their accounts can’t turn to the company for assistance as you need to be logged into your LastPass account to contact its support team.
Even though this change came as a surprise for many LastPass users, the company says that these required MFA resets were announced through its app for “several weeks” before the initial announcement.
Well-intentioned security upgrades
Although LastPass users may be frustrated they can no longer access their vaults and the credentials stored inside them, the company went on to explain in several advisories that the change was done in an effort to increase password iterations to the new default of 600,000 rounds.
For instance, in a support bulletin, LastPass explained that the service now uses “a stronger-than-typical version of the Password-Based Key Derivation Function (PBKDF2)” to further increase the security of users’ master passwords.
This “password-strengthening algorithm” also makes it more difficult for a compromised computer to check to see if any one password is a user’s correct master password during a cyberattack. Thus the reason for LastPass’ MFA resync was done to improve the encryption of their vaults while increasing the password iterations of each customer.
Improvements to keep your passwords safer are always a welcome addition to the best password managers but if these upgrades prevent you from logging back into your account and make it near impossible to access your credentials, it’s easy to see why affected LastPass customers are upset with the change even though it was designed to make the platform more secure.
What to do if you’ve been locked out of your LastPass account
If you’ve been locked out of your LastPass account as a result of this change, the company has provided a step-by-step guide in a detailed support document.
If you follow the guide linked above, it explains the detailed procedure that’s required to reset the pairing between LastPass and your preferred authenticator app. Once this is done, you’ll need to verify your location the next time you login to a website or an app using the service. From here, you will also need to enter your credentials again and authenticate using your authenticator app.
As an additional security measure, LastPass users will then be asked to verify their location one more time when they login to a website or app using the service again. Likewise, users will also be required to re-enter their login credentials and authenticate themselves once more using their preferred authenticator app.
If you’re wondering why LastPass has implemented all of these new security upgrades it's due to a security breach in December of last year where hackers managed to steal a large amount of partially encrypted customer information and password vault data. This security breach actually was the result of another breach that took place in August 2022.
Since password managers hold all kinds of credentials, secrets and other sensitive information, unfortunately they’re likely to remain a prime target for hackers. Fortunately though, LastPass and other password management companies have already or are working on implementing passkey support to make their services even more secure.