If you’ve been using two-factor authentication with LastPass (and if you haven’t, then you really should!), you may have used the option to “trust” your device. Trusting a device tells LastPass to remember that computer, phone, or tablet. Next time you login to LastPass on that device, you’ll skip the two-factor authentication step. Your account itself is still protected by the two-factor authentication, but you get the added convenience of skipping the second login step on the trusted device.
Now, trusted devices will expire after 30 days to add more security to your LastPass account.
Here’s what you need to know:
- If you are currently using two-factor authentication with LastPass and have marked a device as trusted, you will see the prompt to re-enter your two-factor authentication within the next 30 days.
- Regardless of whether or not you have been actively using the device you marked as trusted, you will be asked to enter your two-factor authentication information every 30 days.
- You can re-trust the device at that time if you prefer.
- The change applies to both desktop and mobile devices.
- Currently, there is no way to adjust the new security requirement of re-prompting for trusted devices every 30 days.
Why expire the “trusted” status?
We often discuss how important it is to use two-factor authentication with your LastPass account. Two-factor authentication helps protect you from unauthorized access to your LastPass vault. Once you turn it on you’re required to enter something you have (such as a code from an app or a YubiKey) or something you are (such as your fingerprint) before you can access your account.
Should someone theoretically steal your master password, they still can’t access your account without the two-factor authentication code. Here at LastPass we support more two-factor authentication options than any other password manager, so you’ll be able to find an option that fits with your devices and workflow.
Marking a device as “trusted” is certainly convenient, since it allows you to bypass the two-factor authentication step on specific, trusted devices while maintaining the security benefits of having it turned on. But what if you forget that you marked a device as trusted, and you lose that device, or it’s stolen, or you let someone borrow it? Now the fact that the device is “trusted” may leave your LastPass account open to tampering.
By expiring the trusted device every 30 days, we can help you confirm every so often that you do indeed want to continue trusting that device.
How to remove trusted devices
If you ever need to do some housekeeping on the devices you have trusted, here’s how you can review the devices you marked as trusted and remove those you no longer want to have as trusted:
- Login to LastPass.
- Open your LastPass vault.
- Launch “Account Settings”.
- To review Desktop devices, click the “Trusted Devices” tab.
- To review Mobile devices, click the “Mobile Devices” tab.
- Review the devices that you have listed.
- Use the “x” option to remove any devices you no longer want trusted.
Prefer not to use this security setting? You can now turn it off in your LastPass Vault by launching your Account Settings, selecting the “Show Advanced” option, and checking the “Skip 30 day expiration for trusted clients” setting.