Introducing SMS Recovery to Secure Your Account

By October 23, 2015 Product Updates 58 Comments

One of the perks of LastPass is that you remember just one password, your master password. And to protect your account, you know the master password needs to be long, and strong, and unique. But what if your master password is so good that you forget it?

Today we’re introducing a new way to protected your master password reset process: SMS recovery. This allows you to activate the secure, local-only account recovery process by using a code that is texted to you. Once the code is used to activate the local recovery data that LastPass stores via your browser, you can securely reset your master password.

Why SMS recovery?

Until now, we have facilitated master password recovery by sending a unique recovery link to your account email address (or security email address, if you enabled one in your account settings). Clicking the recovery link activates a locally-stored One Time Password (OTP). OTPs are bits of data that are automatically generated and stored by the LastPass browser extension, and is stored locally until you go through the recovery process. When starting the recovery process, the OTP is utilized to verify that you should be given access to your account, before allowing you to reset your master password. A different OTP is stored for every browser on any computer where you use the LastPass extension, though this can be disabled in your extension preferences.

With SMS recovery, you will simply enter the code texted to you to activate the locally-stored One Time Password in your browser. The same OTP technology is used to verify you and allow the master password to be reset, but you’re replacing the email step with entering a verification code instead.

Now, you can choose the recovery option that best suits your needs and security preferences.

There are a few reasons why we recommend turning on SMS recovery:

  • You store the password for your email address in LastPass. If your email password is also stored in LastPass, and you forget your master password, this will ensure that you aren’t also locked out of your email account and unable to complete the account recovery process.
  • You’re concerned about unauthorized access to your vault. Should someone have access to a computer where you’ve used LastPass, and they also manage to compromise your email account, they could potentially try to use the LastPass email recovery feature to gain access to your vault. We recommend SMS recovery for those who are concerned about this potential risk.

The phone number is only used by LastPass to text you when you need to activate account recovery.

If you do not want to enable SMS account recovery, we strongly recommend turning on two-factor authentication for your email account, and committing your email password to memory.

Adding or updating your mobile number for SMS recovery

SMSrecovery

If you’re ready to add a phone number for SMS recovery, follow these steps:

  1. Sign in to LastPass via the browser extension or www.LastPass.com.
  2. Open your LastPass Vault.
  3. Launch the Account Settings.
  4. Scroll down to “SMS Account Recovery”.
  5. Select the option to add a phone number.
  6. Save your changes with the “Update” button.

Resetting your password with SMS recovery

lp-recover

If you forget your master password, activating SMS account recovery is simple.

  1. Click “forgot password” on the LastPass login dialog.
  2. Select “Account Recovery”.
  3. Enter your account email address.
  4. Check your phone for the SMS / text message with the verification code.
  5. Enter the code on the webpage.
  6. Create your new master password.

No version update is required to use SMS recovery, so you can login today to set it up for your account! We have more great security and feature enhancements on the way, so stay tuned.

58 Comments

  • Pankaj Kumar says:

    It is not working for me with +91 India. Can you help me with that?

  • Marko says:

    What happen if I set SMS recovery, then someone stole my mobile phone and he also know my email address? Does it mean, that he get access to my Lastpass account?

    • Jason says:

      I’m guessing yes. It seems like this feature (as well as email recovery) introduces a big security hole. Maybe that’s not the right way to put it, but I’m opting out. And I wish LastPass would stop asking me to enter a recovery phone number.

    • Amber Gott says:

      No. First, account recovery must be done on a desktop or laptop browser where you have previously used your LastPass account. Having the SMS code is not enough to do account recovery. Even if the person figured out your email, went to LastPass.com, requested forgot password, and saw the SMS code, recovery would fail because they would not have the computer where you used LastPass. This account recovery method cannot be done from the phone. The SMS recovery adds another layer of protection to doing account recovery on your desktop or laptop. Note we also recommend turning on two-factor authentication for your LastPass account for added protection.

  • Robert Hoey says:

    Thanks! The old recovery set-up relied on knowing my email password independent of LastPass. (doubtful). Now I only have to hang on to my phone.

  • Tester says:

    Lastpass, whenever you introduce a facility like this, please add a “send test recovery message” button beside it.
    Being able to specify a recover email, or a recover phone number, will be worthless if a mistake has been made in entering the data and this is not discovered until the user really needs to use the facility.
    The “test this” on recovery emails was only introduced after a suggesting by me, but it seems that Lastpass has zero corporate memory of these ideas. This is simply good error-minimising engineering. Users should not have to tell Lastpass the correct techniques to use to keep customers safe and minimise mistakes.

    Thank you

    • Mr S says:

      I’m not sure if it was a glitch when you tried but when I just added this to my account there IS a test code to validate the number that must be sent via sms and then entered into the confirmation page.

  • Hung says:

    Not working for me +84 Vietnam. Please fix it. Thanks