HELP FILE

About account recovery options in LastPass

Please be aware that LastPass Customer Care has no knowledge of a user's Master Password. It is not possible for LastPass Customer Care to reset or change a user's Master Password if it is forgotten.

If you are concerned that your LastPass account has been compromised, follow these steps.

About using a password hint (recommended)

In addition to setting up account recovery using biometrics, it is also strongly recommended that you set a password hint when creating or resetting your Master Password via the LastPass Password Manager mobile app. This should be a keyword or phrase that acts as a clue or subtle reminder that can be sent via email to help you remember your Master Password in case it is ever forgotten. If the password hint helps you remember your Master Password, try logging in to the app again.

About mobile account recovery security

The account recovery process uses Recovery One Time Passwords (ROTPs), stored locally on the user’s mobile device behind biometrics. Users do not have direct access to ROTPs. These are bits of data that are stored automatically by the mobile app. When you use the LastPass mobile app, it generates a Recovery OTP that is derived from the Master Password and stores on the device itself. It will stay there until you go through account recovery on that specific device where the ROTP was generated and stored. If you do the recovery process (by tapping Forgot Password? on the login screen) it will retrieve that ROTP, and allow you to immediately reset your Master Password if it detects that the ROTP was stored in the app.

Recovery OTPs are local to specific app instances – meaning one ROTP should be generated for each app instance, on each mobile device, where you use LastPass. Recovery OTPs are not portable, they are stored in the specific mobile device’s secure storage, so recovery can only be done in the LastPass mobile app where you have used your LastPass account before. When you next log in to your account after you’ve reset your Master Password, new ROTPs are generated for the app upon login.

Note:  All ROTPs are derived from the Master Password that is current to the account when they are created. Changing the Master Password in any way (even by reverting to a previous Master Password) will invalidate the ROTPs so they cannot be used.