New in Security: Expiring Trusted Devices after 30 Days

If you’ve been using two-factor authentication with LastPass (and if you haven’t, then you really should!), you may have used the option to “trust” your device. Trusting a device tells LastPass to remember that computer, phone, or tablet. Next time you login to LastPass on that device, you’ll skip the two-factor authentication step. Your account itself is still protected by the two-factor authentication, but you get the added convenience of skipping the second login step on the trusted device.

Now, trusted devices will expire after 30 days to add more security to your LastPass account.

Here’s what you need to know:

  • If you are currently using two-factor authentication with LastPass and have marked a device as trusted, you will see the prompt to re-enter your two-factor authentication within the next 30 days.
  • Regardless of whether or not you have been actively using the device you marked as trusted, you will be asked to enter your two-factor authentication information every 30 days.
  • You can re-trust the device at that time if you prefer.
  • The change applies to both desktop and mobile devices.
  • Currently, there is no way to adjust the new security requirement of re-prompting for trusted devices every 30 days.

Why expire the “trusted” status?

We often discuss how important it is to use two-factor authentication with your LastPass account. Two-factor authentication helps protect you from unauthorized access to your LastPass vault. Once you turn it on you’re required to enter something you have (such as a code from an app or a YubiKey) or something you are (such as your fingerprint) before you can access your account.

Should someone theoretically steal your master password, they still can’t access your account without the two-factor authentication code. Here at LastPass we support more two-factor authentication options than any other password manager, so you’ll be able to find an option that fits with your devices and workflow.

Marking a device as “trusted” is certainly convenient, since it allows you to bypass the two-factor authentication step on specific, trusted devices while maintaining the security benefits of having it turned on. But what if you forget that you marked a device as trusted, and you lose that device, or it’s stolen, or you let someone borrow it? Now the fact that the device is “trusted” may leave your LastPass account open to tampering.

By expiring the trusted device every 30 days, we can help you confirm every so often that you do indeed want to continue trusting that device.

How to remove trusted devices

If you ever need to do some housekeeping on the devices you have trusted, here’s how you can review the devices you marked as trusted and remove those you no longer want to have as trusted:

  1. Login to LastPass.
  2. Open your LastPass vault.
  3. Launch “Account Settings”.
  4. To review Desktop devices, click the “Trusted Devices” tab.
  5. To review Mobile devices, click the “Mobile Devices” tab.
  6. Review the devices that you have listed.
  7. Use the “x” option to remove any devices you no longer want trusted.

Update 12/16/2015

Prefer not to use this security setting? You can now turn it off in your LastPass Vault by launching your Account Settings, selecting the “Show Advanced” option, and checking the “Skip 30 day expiration for trusted clients” setting.

67 Comments

  • Tom says:

    Make this optional on a per device basis. Then I can turn it off for desktops but leave it on for mobile devices.

  • Ulrich Pamp says:

    Please treat us as mature customers that meet their own choice.

  • Roger says:

    This is unworkable for me. My second factor is on my mobile phone, but my wife will sometimes need access to my passwords at home while I am away. This will render her unable to access any of our shared accounts (including our bank!!) until I am able to rendezvous with her to provide the authenticator value from my phone.

    Literally, my only alternatives at this point are to stop using two factor authentication (less secure), or stop using last pass (a great product up until now, but what can I do?).

    • Tom says:

      You could set your wife up with a free account, then share the passwords with her.

    • Amber Gott says:

      Hi Roger, depending on the multifactor authentication option that you’re using, if your wife has a smartphone of her own you could also set it up on her phone. For example, with Google Authenticator you could download the Google Auth app to her phone, then in the LastPass settings you can use the same barcode to activate Google auth on her phone. Then you both will have the codes. Or, as Tom mentioned, you could set her up with her own account, and share the passwords that she needs access to – our Shared Family Folder is perfect for this. Please get in touch with our team if we can help with any of the above: https://lastpass.com/supportticket.php

  • Ricardo says:

    I don’t like this too. Please make it optional asap or I’m canceling too.

  • Arno says:

    I thought about it a couple of times, and believe it is the right way to go. On the other hand, if you feel that is to much, then you should not use two-factor authentication. I feel it is a extra layer of security and it is not too much to ask for – reentering the master password once a month. Taking into account that many online citizens trusting Lastpass, but e.g. not the social medias, they might use. Also therefore it is important that we at least secure our passwords in the right matter. If you disagree you should just use the same password everywhere – because it is secret or is it not…

  • Manuel says:

    Give users the choice to use this on their own discretion. I’m paying customer and know what I’m doing.
    Give choice or say goodby to me.

    • Amber Gott says:

      Thanks Manuel, as we mentioned in previous comments we do plan to make this optional in an upcoming release.

      • William Lee says:

        Glad to hear you’ve already changed your mind and are going to make this optional. I would think that many would find having to re-enter the two factor thing every 30 days to be inconvienient enough that they would strongly consider turning off two-factor. Which would mean your security upgrade made people significantly less secure..

        • JohnT says:

          @William very well said. If my device is stolen or lost, I’ll go on-line and remove it from “Trusted Devices.” @LastPass, you already have a lot of user “worried” about the sale of your company, so announcements like this make us more uncomfortable. Glad to see you are going to make the optional.