Sep 4, 2013

Using Google Authenticator on iOS? Avoid Lockout with These Steps

An update for Google Authenticator was released today that wiped stored tokens tied to online accounts. Google Authenticator users then ran into issues logging in to their sites and services since the token was no longer recognized.

Google pulled the app from the Apple app store, and to the best of our knowledge it only affected the iOS app. Google has indicated they are working on another update with a fix for the bug.

In the meantime, LastPass users who did update may run into authentication with their LastPass account.

If you updated the app and are still logged into LastPass on one of your desktop browsers, go to the LastPass Icon and launch your LastPass Vault. Then open the Settings menu on the left, select the Multifactor Options tab, and toggle to Google Authenticator. Click the option to display the QR code, and scan the QR code again, then click 'update' to save your changes.

If you updated the app and are not currently logged into LastPass on your desktop browsers, you'll need to initiate the disabling process when you next login. On the Google Authenticator prompt select the "disable" option, and an email will be sent to either your LastPass account email address or to the security email address you set up with your account. From the email you can click the "disable" link and you will not see the Google Authenticator prompt when you return to LastPass to login. You can then launch your Vault, click the Settings menu, go to the Multifactor Options tab and toggle to Google Authenticator, then scan the QR code and re-enable Google Authenticator.

For any LastPass users who run into trouble, please reach out to our support team directly here: https://lastpass.com/supportticket.php and we will investigate with you.

10 comments:

  1. Thanks for posting, google auth made me crazy today. :(
    Furthermore, this accident raises my concerns about the multifactor authentication methods developed by 3rd parties, even the most trusted ones like Google...

    ReplyDelete
  2. Thankfully I was not in WiFi or cell range at work this morning so I missed this update from Google. Would one time passwords from LastPass enable you to get around this problem until you could fix it in LastPass and Google Authenticator?

    ReplyDelete
    Replies
    1. not sure but if u have backup codes from google authenticator then it should work.

      Delete
  3. Doesn't the ability to disable it so easily make it less secure?

    ReplyDelete
  4. Doesn't the ability to disable it so easily make it less secure?

    ReplyDelete
    Replies
    1. We recommend utilizing the "security email address" feature, in the LastPass Icon > My LastPass Vault > Settings > Security tab. The idea is security by obscurity, with an email account that is only used for disabling multifactor.

      Delete
  5. So if someone has gained access to email and lastpass pw, you're basically pwned because the two factor auth can be turned off via a link in an email? I understand the convenience, but this seems trivial security wise. Why not just have an option to send a text of the code as a backup.

    ReplyDelete
  6. Trivial security. If someone gained access to your lastpass password, AND your email password, you don't really know how To use two factor authentication and it should be turned off. What about lastpass password and phone? Would you really want a text to reset the authenticator?

    ReplyDelete
  7. Trivial security. If someone gained access to your lastpass password, AND your email password, you don't really know how To use two factor authentication and it should be turned off. What about lastpass password and phone? Would you really want a text to reset the authenticator?

    ReplyDelete
  8. unless your backup email account requires a password only stored in your lastpass account, and you are logged out of both of them. yup keep those backup codes handy...

    ReplyDelete