HELP FILE

How do I set up and use mobile account recovery on Android?

When using the LastPass app for Android, you can set up Fingerprint authentication as a means of account recovery in case your Master Password is ever forgotten.

Regardless of how you use LastPass (desktop app, web browser extension, mobile app), it is strongly recommended that you set up mobile account recovery in case other recovery options are not able to be used.

Once set up and enabled, you can reset your Master Password using your Fingerprint (only using this mobile device) to restore access to your Vault. Don't worry, if you skip this step when you were initially prompted, you can always enable it later in the LastPass app Security settings. Alternatively, you can recover your account by using a password hint that you set up when you created or last reset your Master Password. For information about mobile account recovery security, please see below.

Please be aware that LastPass Customer Care has no knowledge of a user's Master Password. It is not possible for LastPass Customer Care to reset or change a user's Master Password if it is forgotten.

Note: If you are concerned that your LastPass account has been compromised, follow these steps.

Set up Fingerprint authentication

You must log in to the LastPass app for Android with your username and Master Password before you can set up account recovery using Fingerprint authentication.

  1.  Set up Fingerprint authentication from the initial setup instructions for Android.
  2. Log in to the LastPass app for Android with your username and Master Password.
  3. If logging in for the first time, you are prompted upon login to enable Use Fingerprint to Unlock – toggle on the switch for this setting. Otherwise, see below for instructions on enabling this feature later in the app's Security settings.
  4. Touch the fingerprint sensor on your device (don't press) to scan your fingerprint.
  5. Select Save > Next when finished. You're all set!

Reset your Master Password using Fingerprint authentication

  1. Open the LastPass app for Android, then select Trouble logging in? on the login screen.
  2. Select Forgot Master Password.
  3. Select Recover Account.
  4. Select Recover with Fingerprint.
  5. Touch the fingerprint sensor on your device (don't press) to scan your fingerprint.
  6. If prompted, complete steps for Multifactor Authentication (if it is enabled on your account) and select Next
  7. Enter a new Master Password, then confirm it. If desired, set a password hint (recommended).
  8. Select Set Master Password, then select Go to Login.
  9. Enter your username and newly created Master Password, then select Log In to access your Vault.

Enable Fingerprint and Account Recovery in Security settings

You must log in to the LastPass app for Android with your username and Master Password before you can set up account recovery using Fingerprint authentication.

  1.  Set up Fingerprint authentication from the initial setup instructions for Android.
  2. Log in to the LastPass app for Android with your username and Master Password.
  3. Select the Vault Menu icon in the upper left navigation, then select Settings > Security.
  4. If it's not already on, toggle on the switch to enable the Use Fingerprint to Unlock option. This is required in order to use Account Recovery.
  5. Toggle on the switch to enable the Account Recovery option.
  6. Touch the fingerprint sensor on your device (don't press) to scan your fingerprint.
  7. You're all set!

Use a password hint (optional)

In addition to setting up Fingerprint authentication, it is also strongly recommended that you set a password hint when creating or resetting your Master Password via the LastPass app for Android. This should be a keyword or phrase that acts as a clue or subtle reminder that can be sent via email to help you remember your Master Password in case it is ever forgotten. If the password hint helps you remember your Master Password, try logging in to the app again.

About mobile account recovery security

The account recovery process uses recovery One Time Passwords (OTPs), stored locally on the user’s mobile device behind biometrics. Users do not have direct access to recovery OTPs. These are bits of data that are stored automatically by the mobile app. When you use the LastPass mobile app, it generates an OTP that is derived from the Master Password and stores on the device itself. It will stay there until you go through account recovery on that specific device where the OTP was generated and stored. If you do the recovery process (by selecting Forgot Password? on the login screen) it will retrieve that OTP, and allow you to immediately reset your Master Password if it detects that the OTP was stored in the app.

OTPs are local to specific app instances – meaning one OTP should be generated for each app instance, on each mobile device, where you use LastPass. Recovery OTPs are not portable, they are stored in the specific mobile device’s secure storage, so recovery can only be done in the LastPass mobile app where you have used your LastPass account before. When you next log in to your account after you’ve reset your Master Password, new OTPs are generated for the app upon login.

Note: All OTPs are derived from the Master Password that is current to the account when they are created. Changing the Master Password in any way (even by reverting to a previous Master Password) will invalidate the OTPs so they cannot be used.

Related

How do I set up and use account recovery in the LastPass app for iOS?

How do I use the LastPass app for Android?

How do I use the LastPass app for iOS?