Beta Participants Needed: LastPass Account Recovery on Mobile

As you all know, LastPass takes away the burden of remembering passwords – and getting locked out of your accounts. But what if you forget your LastPass Master Password? That’s the one password you still need to remember, and as a direct result of our Zero Knowledge security model, resetting it is not as easy as on an ordinary website.

Enter Account Recovery on Mobile. Available on iOS Testflight and the Android Beta channels, users who have downloaded and logged into the LastPass iOS/Android beta apps can recover their accounts very easily.

Try this new feature out, and give us feedback! Note: at this time, we only recommend testing this feature with two-factor authentication disabled.

1 – Enable Mobile Account Recovery in the Security menu

2 – Log out and press “Forgot Password” on the login screen

3 – Enter your email and press “Recover Account”

4 – Confirm your fingerprint and then enter your new master password. That’s it!

5 – Now log in with your new master password

Download the iOS version via Testflight: https://testflight.apple.com/join/fy7LvHVA
Get the Android app by navigating to the Play Store page and opting in into the beta program: https://play.google.com/store/apps/details?id=com.lastpass.lpandroid&hl=en_US

5 Comments

  • Alex D says:

    The above explanation is good, but I would actually like to have a toggle option as an enduser to enable/disable this recovery flow.

    • Leah Bachmann says:

      Hi Alex,
      You can turn off the mobile account recovery feature in your app under user settings. Also, all users need to opt in to this flow.
      I hope that is helpful.

      Leah

  • Nate says:

    This is a bit concerning security wise, is there an explanation of how this is achieved without comprimising the security of the account?

    • Leah Bachmann says:

      Hi Nate,
      Thanks for the question. Here’s some info.

      The account recovery process uses recovery one-time-passwords (OTPs), stored locally on the user’s phone behind biometrics. Users do not have direct access to recovery OTPs. These are bits of data that are stored automatically by the mobile app. When you use the LastPass mobile app, it generates an OTP that is derived from the Master Password and stores on the device itself. It will stay there until you go through account recovery on that specific device where the OTP was generated and stored. If you do the recovery process (by tapping on ‘Forgot password’ on the login screen) it will try to “call up” that OTP, and allow you to immediately reset your password if it detects that the OTP was stored in the app.
      OTPs are local to specific app instances and one OTP should be generated for each app instance, on each mobile device, where you use LastPass. Recovery OTPs are not portable, they are stored in the specific mobile device’s secure storage, so recovery can only be done in a LastPass mobile app where you have used your LastPass account before. When you next log in to your account after you’ve reset your Master Password, new OTPs are generated for the app the next time you login.

      I hope this is helpful.

      Leah

    • Eli says:

      If I understand correctly, this is just extending the current OTP recovery mechanism, which works to recover an account if you have access to a logged in browser instance, to also recover accounts if you have access to a logged in browser app.

      Either way, it’s depending on information you have specifically saved. In the browser extension on Firefox, for example, I see an Advanced option:

      “Save a disabled One Time Password locally for Account Recovery”

      So the mobile app is just getting the same feature.