New in Security: Expiring Trusted Devices after 30 Days

If you’ve been using two-factor authentication with LastPass (and if you haven’t, then you really should!), you may have used the option to “trust” your device. Trusting a device tells LastPass to remember that computer, phone, or tablet. Next time you login to LastPass on that device, you’ll skip the two-factor authentication step. Your account itself is still protected by the two-factor authentication, but you get the added convenience of skipping the second login step on the trusted device.

Now, trusted devices will expire after 30 days to add more security to your LastPass account.

Here’s what you need to know:

  • If you are currently using two-factor authentication with LastPass and have marked a device as trusted, you will see the prompt to re-enter your two-factor authentication within the next 30 days.
  • Regardless of whether or not you have been actively using the device you marked as trusted, you will be asked to enter your two-factor authentication information every 30 days.
  • You can re-trust the device at that time if you prefer.
  • The change applies to both desktop and mobile devices.
  • Currently, there is no way to adjust the new security requirement of re-prompting for trusted devices every 30 days.

Why expire the “trusted” status?

We often discuss how important it is to use two-factor authentication with your LastPass account. Two-factor authentication helps protect you from unauthorized access to your LastPass vault. Once you turn it on you’re required to enter something you have (such as a code from an app or a YubiKey) or something you are (such as your fingerprint) before you can access your account.

Should someone theoretically steal your master password, they still can’t access your account without the two-factor authentication code. Here at LastPass we support more two-factor authentication options than any other password manager, so you’ll be able to find an option that fits with your devices and workflow.

Marking a device as “trusted” is certainly convenient, since it allows you to bypass the two-factor authentication step on specific, trusted devices while maintaining the security benefits of having it turned on. But what if you forget that you marked a device as trusted, and you lose that device, or it’s stolen, or you let someone borrow it? Now the fact that the device is “trusted” may leave your LastPass account open to tampering.

By expiring the trusted device every 30 days, we can help you confirm every so often that you do indeed want to continue trusting that device.

How to remove trusted devices

If you ever need to do some housekeeping on the devices you have trusted, here’s how you can review the devices you marked as trusted and remove those you no longer want to have as trusted:

  1. Login to LastPass.
  2. Open your LastPass vault.
  3. Launch “Account Settings”.
  4. To review Desktop devices, click the “Trusted Devices” tab.
  5. To review Mobile devices, click the “Mobile Devices” tab.
  6. Review the devices that you have listed.
  7. Use the “x” option to remove any devices you no longer want trusted.

Update 12/16/2015

Prefer not to use this security setting? You can now turn it off in your LastPass Vault by launching your Account Settings, selecting the “Show Advanced” option, and checking the “Skip 30 day expiration for trusted clients” setting.

67 Comments

  • Mike says:

    Does this mean that I must re-trust my mobile device every 30 days? Specifically, if I’m away from my PC & need to use Lastpass, could it challenge me while I have no way to approve, thereby leaving Lastpass on my mobile device rendered useless until I get to a PC?

  • B says:

    I would love to use two-factor authentication with LastPass.
    However, I can’t find a way to do it using a land line phone instead of a cell phone!
    Hopefully, you could provide a how to do it link.
    Thanks

  • Steve says:

    This is why I’m going to dump your service after using it for three years (as a paying customer). I truly hate timing out my trusted devices after 30 days. If it was at least configurable, but it’s not. This, and the fact that your timed logout function still doesn’t work correctly after years of customer complaints. I truly hate it when I start a brand new browser session, go to a website and have the browser enter my password without asking for authentication. It would be great if you fixed basic functionality before putting onerous new requirements on your broken product.

  • Christopher says:

    Good idea, but I don’t think this should have been implemented before they have developed the capability to disable the feature. This is certainly a breaking change for some personal security polices. The way I see it, lastpass now has less than 30 days to implement the feature :)

  • Tom says:

    It would be very helpful to display a “last accessed” date on the Trusted and Mobile devices list. I have no idea which is my current device. I would prefer to have items never expire, but have a last accessed date so I can manually manage … then as part of my periodic security check, you could include “Trusted/Mobile devices not reviewed in the past 30 days” or similar.

  • Andrew S says:

    I agree with everyone who is disappointed by how quickly things changed after LogMeIn came to town. Forcing changes on people that they don’t like / want, with no way to opt out. If you were really the same team, this wouldn’t have been a forced change. You guys have kept saying that things will be the same……what a load of poo. Things have already started changing! Bye Bye lastpass!

    • Amber Gott says:

      Hi Andrew, as we’ve noted in comments we do plan to make this optional. This in no way reflects a change in policy – we have *always* focused on security first and doing what we believe is best to protect our users. We of course value feedback from users and will continue to improve the service.

    • MvdL says:

      I personally support this change. Why would having to trust a device once every 30 days be such a big deal. It is a good reminder and a good practice in security.

      Also to sit there and make this change in policy, for a service that constantly changes to meet today’s security needs, with Lastpass joining Logmein an excuse to leave is pretty much unwarranted.

      • efincoop says:

        I agree and also support this change. While it may prove a minor inconvenience it prevents a laissez-faire approach to security.