Never Lose Access to LastPass with Account Recovery on Mobile 

LastPass takes away the burden of remembering passwords – and getting locked out of your accounts. But what if you forget your LastPass master password? It’s the one password you still need to remember. Because of our zero-knowledge security model, LastPass never knows your master password and therefore can’t reset it for you. So, what do you do if you’ve forgotten it? 

Today is World Password Day, so we thought it was a great time to announce our newest way to recover your master password – Mobile Account Recovery! We’re also giving you a refresh of other account recovery options, too 

Mobile account recovery 

Users who have downloaded and logged into the LastPass mobile app on Android or iOS can recover their accounts very easily using fingerprint or Face ID authentication. We encourage users to download the app because it’s very helpful to have all your passwords on the go – but it also acts as a safety net should you get locked out of your account.  

Setting up and activating account recovery on your mobile device is super easy. Note that when you enable mobile account recovery on Phone A, it is specific to that device; you will not be able to recover on Phone B without also going through the steps to enable account recovery for Phone B. 

To set up mobile account recovery:  

  1. Download the LastPass app from the Apple App Store or the Google Play Store 
  2. Log in  
  3. You should be prompted to enable mobile account recovery. But if you don’t see this welcome message, you can enable it manually.  
  4. Enable fingerprint or Face ID authentication. Go to Settings > Security > Enable Touch ID/ Face ID/ Fingerprint Authentication. Ensure the toggle is switched on.  
  5. Enable account recovery: Go to Settings > Security > account recovery. Ensure the toggle for account recovery is switched to on.  

Now you’re all set up! Should you forget your master password, all you need to do is:  

  1. Open your app 
  2. Tap “Forgot Password”  
  3. Authenticate with your fingerprint or Face ID 
  4. You will then be prompted to enter your new master password  

Download the app now, so you can recover your account in the easiest way possible.  

Send password hint  

As we mentioned above, we encourage you to download the mobile app and enable account recovery as your first line of defense for account recovery. But if you need a desktop recovery option, the first step is to send yourself a password hint.  

When you created your master password, you are given the option of creating a password hint. If you forgot your master password but created a password hint, you can navigate to https://lastpass.com/forgot.php, then enter your email address and click Send Hint to email you a clue about your master password. Hopefully, this will remind you of your master password and you can then log in.  

Use a recovery one-time password 

If you still cannot figure out your password with the password hint, you can try using a recovery one-time password.  

This method provides you with a one-time password you can use to reset your master password. This method does require some persistence because it’s specific to both the computer and web browser you use. For example, if you use 2 different computers and 3 different web browsers, each one has a different recovery password.  

To try this method, follow the full instructions here.  

Admin Policies 

If you are admin of a LastPass Enterprise account, your users can take advantage of the above self-serve options to recover their accounts – unless you have the “Prohibit Account Recovery” policy turned on (which is not turned on by default). While this policy is available, we do not encourage you to enable it so that your users can recover their accounts on their own, taking the burden off your IT team. 

Educate your end users on all their account recovery options – especially mobile account recovery as it’s an easy way for them to regain access to their accounts. Plus, we’ve found that using the mobile app helps promote overall LastPass adoption and improved password behavior.  

Additionally, admins can reset passwords on their users’ behalf by enabling the “Super Admin – Master Password Reset” policy. Details can be found here. 

All is not lost 

If you forget your master password, all is not lost. There are steps you can take today to make it much easier for you to recover your account. Please download and log in to the mobile app and enable account recovery.  

Full instructions can be found here for Android and here for iOS . Once this is done, you can be confident that you’ll be able to regain access to your account should you ever get locked out. Just in case, here are some tips for creating a strong but easytoremember master password – so hopefully you’ll never forget it in the first place.  

Happy World Password Day! 

Watch the video below to see LastPass Mobile Account Recovery in action:

60 Comments

  • Sonia Lyris says:

    “Face ID authentication”, eh? Tell me about the technology behind this, so I have some confidence that a photo of me wouldn’t easily fool your system.

    I urge you to treat your clients like the intelligent, tech-savvy critters many of us are. Tell us about the technology you’re using before I put my trust in it. Please.

  • DAVID SCHALLER says:

    I agree that relying on only an insecure fingerprint on Android is not acceptable! After years of supporting Yubikey, why do you still not have a way to use a NFC enabled Yubikey to authenticate on my Android phone?

  • Bob Lowry says:

    I use a Samsung Galaxy 7 phone and have set up fingerprint security multiple times but it always fails. Might work until the next upgrade then won’t. Not sure I want to risk counting on mobile recovery using a fingerprint when the weak link is the mobile fingerprint reader. Think you may need to find a better way.

  • G Chandler says:

    “not supported on your device”

    • Amber Steel says:

      Is this on Android? It means that the device does not support Android’s Secure Storage mechanism, meaning we are not able to store the recovery key in a secure way.

  • Sandy Stabenfeldt says:

    This option is here but I am not able to turn it on?

    • Amber Steel says:

      Account Recovery requires biometric unlock to be enabled. This means Face ID / Touch ID on iOS, and fingerprint unlock on Android. In addition to this, the iOS app also requires push notifications to be enabled.

  • Christian says:

    Unless I am mistaken, there is an important detail missing in the setup procedure explained above. Password recovery will work that way — unless you have enabled the “Log out when app is idle” feature. Enabling it results in being logged out after a while and at this point your biometrics will be useless. The only way to log back in is to enter your master passphrase again.

    Am I right? If so, please update this post accordingly. :-)

    • Amber Steel says:

      The disabled recovery key required for a successful account recovery remains available even after you log out from the mobile app (either manually or automatically). The recovery key is protected with biometrics locally on your phone, so that no one else can initiate the recovery process but you.