May 31, 2013

What To Do If You Use Multifactor Authentication and Lose Your Device or Phone

Our pick for this week's question for the LastPass team:

If I use multifactor (or "two factor") authentication, what happens if I lose my device or phone? - Jim T.

We strongly encourage the use of multifactor authentication with your LastPass account. To recap, multifactor authentication refers to the requirement that a user enters two forms of data before being allowed access to an account. In the case of LastPass, you enter your email address and master password, then you're required to enter the code, one time password, or other data of the multifactor authentication method you have selected. See our recent blog post for more information.

Once you've enabled multifactor authentication, if you lose your device or phone that you use as your multifactor authentication method, there are steps you can take to regain access to your LastPass vault.

Use the Disable Option


The next time you login to LastPass you'll be prompted to supply your multifactor authentication information, but you can click the option to "disable" the multifactor authentication.

Launch the Disable Link


An email will then be sent to your account email address. When you login to your email, you can launch the link sent to you by LastPass, and complete the disabling of your multifactor authentication.

Enable a Security Email Address for Added Protection


If you use your account email address as your primary email address, you may consider enabling a "security email address" with your LastPass account. The "security email address" is another email that you designate in your LastPass settings (from your vault, click the "Settings" menu, then "Security" tab). This email address would be used to receive other notifications besides your multifactor authentication disable email, including your:
  • Password hint email
  • Account recovery email
  • History removal verification email
  • Reverting Master Password change verification email
  • Abuse / Blacklisted IP notifications

This email should therefore be held to much higher security standards than your usual email account. By enabling a security email address, your notifications for the above list will only be sent to your security email address rather than the email address tied to your LastPass account. Having a separate security email address is optional, but may provide an additional solution for those requiring a high level of security.

Note that for any user who enables multifactor authentication, it also becomes more important for you to memorize your email password. If you need to disable your multifactor authentication, you will need access to your email address or security email address.

Have a question for the LastPass team? Let us know in comments or send us a note at marketing[at]lastpass.com. If we choose your question, you'll get a T-shirt!

3 comments:

  1. When will you guys allow me to restrict access to mobile devices when I'm using google authenticator for mobile? It's not like lastpass is the gateway to authenticator.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
  2. So, I actually need to remember my LastPass master password and my email password, if I want to use multifactor authentication - which removes the ability to have a 32 digit random string for my email password and somewhat undermines the 'last pass' marketing.

    ReplyDelete