What you need to know
- LastPass users have been locked out of their vaults after an authenticator app reset.
- The reset was designed to implement planned security upgrades.
- LastPass has highlighted the reset process in a support document.
- Locked-out users can't raise tickets to the company's support team since they need access to their accounts first.
Several LastPass users have taken to social media platforms to express their frustrations over the inability to access their login credentials and usernames. The issue dates back to as early as May this year when users were requested to reset the application, as highlighted by BleepingComputer.
As part of our planned security upgrades, users may need to log back into LastPass and reset their multifactor authentication preference in the next 24 hours: https://t.co/zysFzYrL8HMay 8, 2023
LastPass indicated that the prompt to reset multifactor authentication (MFA) apps like the Microsoft Authenticator was in place to implement planned security upgrades scheduled for May 9. The company added that the upgrade was designed to "increase the password iterations and force a re-sync of all users' MFA."
While speaking to BleepingComputer about the said change, LastPass indicated:
Following the 2022 incidents, we sent email and in-product communications to our customer base recommending that they reset their MFA secrets with their preferred Authenticator App as a precautionary measure. This recommendation was also included in the Security Bulletins that we sent to our B2C and B2B customers in early March and a second email communication in early April.
LastPass spokesperson
After the change was implemented, several users indicated they could not access their vaults and had been locked out of their accounts. An aggrieved user indicated they couldn't receive verification emails, often used to gain access to LastPass vaults. The user also indicated that it was impossible for them to raise a ticket raising the issue to the support team since they needed to have access first.
A large number of us are unable to get back into our values after this change as we don't receive the verification emails necessary to regain access. We can't log support tickets without logging in. Community posts are unanswered. Is anyone going to help us?May 10, 2023
As highlighted by affected users, attempts to access LastPass have rendered their efforts futile. Instead, they keep on getting a prompt to reset their MFA authenticator.
The forced re-sync of MFA is now preventing me from logging in because LastPass won't recognise the new MFA code. I've tried DM'ing but message won't send. What is going on? Clearly this is impacting a lot of users.June 21, 2023
Over at LastPass' community forums, the issue seems more widespread. For instance, in the thread, a concerned user has highlighted an instance where they were able to use their master password and even update their MFA, but still, they were still denied access.
On June 27, 2023, LastPass shared a support document on its website under the FAQs section. It's designed to help users navigate the reset process and highlight its importance. The company further highlighted that it had sent in-app messages to its users "several weeks" before implementing the change. As such, if you don't use the app and have also unsubscribed from emails, you might have missed the notification highlighting the change.
Consequently, failure to follow the reset process, as highlighted in the support document, could be the main reason why most users can't access their information via the app.
The company spokesman cited that despite lobbying early campaigns highlighting this change, many users still haven't made the reset. To this end, it's unclear what extra steps LastPass will take to remedy this situation. However, in an advisory, the company indicated that:
"You must log in to the LastPass website in your browser and re-enroll your MFA application before you can access LastPass on your mobile device again. You cannot re-enroll using the LastPass browser extension or the LastPass Password Manager app."
