Never Lose Access to LastPass with Account Recovery on Mobile 

LastPass takes away the burden of remembering passwords – and getting locked out of your accounts. But what if you forget your LastPass master password? It’s the one password you still need to remember. Because of our zero-knowledge security model, LastPass never knows your master password and therefore can’t reset it for you. So, what do you do if you’ve forgotten it? 

Today is World Password Day, so we thought it was a great time to announce our newest way to recover your master password – Mobile Account Recovery! We’re also giving you a refresh of other account recovery options, too 

Mobile account recovery 

Users who have downloaded and logged into the LastPass mobile app on Android or iOS can recover their accounts very easily using fingerprint or Face ID authentication. We encourage users to download the app because it’s very helpful to have all your passwords on the go – but it also acts as a safety net should you get locked out of your account.  

Setting up and activating account recovery on your mobile device is super easy. Note that when you enable mobile account recovery on Phone A, it is specific to that device; you will not be able to recover on Phone B without also going through the steps to enable account recovery for Phone B. 

To set up mobile account recovery:  

  1. Download the LastPass app from the Apple App Store or the Google Play Store 
  2. Log in  
  3. You should be prompted to enable mobile account recovery. But if you don’t see this welcome message, you can enable it manually.  
  4. Enable fingerprint or Face ID authentication. Go to Settings > Security > Enable Touch ID/ Face ID/ Fingerprint Authentication. Ensure the toggle is switched on.  
  5. Enable account recovery: Go to Settings > Security > account recovery. Ensure the toggle for account recovery is switched to on.  

Now you’re all set up! Should you forget your master password, all you need to do is:  

  1. Open your app 
  2. Tap “Forgot Password”  
  3. Authenticate with your fingerprint or Face ID 
  4. You will then be prompted to enter your new master password  

Download the app now, so you can recover your account in the easiest way possible.  

Send password hint  

As we mentioned above, we encourage you to download the mobile app and enable account recovery as your first line of defense for account recovery. But if you need a desktop recovery option, the first step is to send yourself a password hint.  

When you created your master password, you are given the option of creating a password hint. If you forgot your master password but created a password hint, you can navigate to https://lastpass.com/forgot.php, then enter your email address and click Send Hint to email you a clue about your master password. Hopefully, this will remind you of your master password and you can then log in.  

Use a recovery one-time password 

If you still cannot figure out your password with the password hint, you can try using a recovery one-time password.  

This method provides you with a one-time password you can use to reset your master password. This method does require some persistence because it’s specific to both the computer and web browser you use. For example, if you use 2 different computers and 3 different web browsers, each one has a different recovery password.  

To try this method, follow the full instructions here.  

Admin Policies 

If you are admin of a LastPass Enterprise account, your users can take advantage of the above self-serve options to recover their accounts – unless you have the “Prohibit Account Recovery” policy turned on (which is not turned on by default). While this policy is available, we do not encourage you to enable it so that your users can recover their accounts on their own, taking the burden off your IT team. 

Educate your end users on all their account recovery options – especially mobile account recovery as it’s an easy way for them to regain access to their accounts. Plus, we’ve found that using the mobile app helps promote overall LastPass adoption and improved password behavior.  

Additionally, admins can reset passwords on their users’ behalf by enabling the “Super Admin – Master Password Reset” policy. Details can be found here. 

All is not lost 

If you forget your master password, all is not lost. There are steps you can take today to make it much easier for you to recover your account. Please download and log in to the mobile app and enable account recovery.  

Full instructions can be found here for Android and here for iOS . Once this is done, you can be confident that you’ll be able to regain access to your account should you ever get locked out. Just in case, here are some tips for creating a strong but easytoremember master password – so hopefully you’ll never forget it in the first place.  

Happy World Password Day! 

Watch the video below to see LastPass Mobile Account Recovery in action:

15 Comments

  • Kenneth LaFord says:

    Just about ready to forego LP permanently. I have a free account that I have had since 2016. My son invited me to Family plan. How do I F’ing sync them? He has repeatedly sent invite and I can lance my free account , but how do I sync? Do I loose my email and/or PW? Not even sure it’s worth it. Please advise.

  • Josh says:

    Hello. While I applaud the option of mobile account recovery, especially for a personal account, I question the advice given in this article that Enterprise admins not enable the “Prohibit Account Recovery” policy. As an Enterprise admin with Super Admin – Master Password Reset policy enabled, I already have a way to recover accounts for users who forget their master password, and can do so in an accountable way. The problem with the mobile account recovery option is that anyone with access to the phone and PIN can reset a LastPass master password (since they can add their own finger to TouchID). In the worst case, an employee shares their work phone with their spouse, kids, etc, who now have the ability to reset the master password. In the best case, the employee does not share their PIN, but you still have now reduced a long master password to the security level of a few (likely poorly chosen) digits for anyone with physical possession of the device. Am I missing anything here?

    • Amber Steel says:

      As long as the employee logs in on a desktop browser at least once, the super admin policy will work. Every company is different, and every admin will have to make the decisions that are best for their business!