Introducing SMS Recovery to Secure Your Account

One of the perks of LastPass is that you remember just one password, your master password. And to protect your account, you know the master password needs to be long, and strong, and unique. But what if your master password is so good that you forget it? Today we’re introducing a new way to protected your master password reset process: SMS recovery. This allows you to activate the secure, local-only account recovery process by using a code that is texted to you. Once the code is used to activate the local recovery data that LastPass stores via your browser, you can securely reset your master password.

Why SMS recovery?

Until now, we have facilitated master password recovery by sending a unique recovery link to your account email address (or security email address, if you enabled one in your account settings). Clicking the recovery link activates a locally-stored One Time Password (OTP). OTPs are bits of data that are automatically generated and stored by the LastPass browser extension, and is stored locally until you go through the recovery process. When starting the recovery process, the OTP is utilized to verify that you should be given access to your account, before allowing you to reset your master password. A different OTP is stored for every browser on any computer where you use the LastPass extension, though this can be disabled in your extension preferences. With SMS recovery, you will simply enter the code texted to you to activate the locally-stored One Time Password in your browser. The same OTP technology is used to verify you and allow the master password to be reset, but you’re replacing the email step with entering a verification code instead. Now, you can choose the recovery option that best suits your needs and security preferences. There are a few reasons why we recommend turning on SMS recovery:

• You store the password for your email address in LastPass. If your email password is also stored in LastPass, and you forget your master password, this will ensure that you aren’t also locked out of your email account and unable to complete the account recovery process.
• You’re concerned about unauthorized access to your vault. Should someone have access to a computer where you've used LastPass, and they also manage to compromise your email account, they could potentially try to use the LastPass email recovery feature to gain access to your vault. We recommend SMS recovery for those who are concerned about this potential risk.

The phone number is only used by LastPass to text you when you need to activate account recovery. If you do not want to enable SMS account recovery, we strongly recommend turning on two-factor authentication for your email account, and committing your email password to memory.

Adding or updating your mobile number for SMS recovery

If you’re ready to add a phone number for SMS recovery, follow these steps:

1. Sign in to LastPass via the browser extension or www.LastPass.com.
2. Open your LastPass Vault.
3. Launch the Account Settings.
4. Scroll down to "SMS Account Recovery".
5. Select the option to add a phone number.
6. Save your changes with the "Update" button.

Resetting your password with SMS recovery

If you forget your master password, activating SMS account recovery is simple.

1. Click “forgot password” on the LastPass login dialog.
2. Select “Account Recovery”.
3. Enter your account email address.
4. Check your phone for the SMS / text message with the verification code.
5. Enter the code on the webpage.
6. Create your new master password.

No version update is required to use SMS recovery, so you can login today to set it up for your account! We have more great security and feature enhancements on the way, so stay tuned.