HELP FILE

How does account recovery work for LastPass?

Account recovery is used when a Master Password is lost or forgotten. In order to get back into your Vault, you will need to go through the account recovery process in order to change your Master Password and recover your account.

Terminology

Decryption Key
This is derived from the Master Password and is used to decrypt the LastPass Vault.
Recovery One Time Password
A token that is created by logging in to the LastPass browser extension and saved to each web browser where you have logged in to the extension. This is necessary component used during the account recovery process.
Mobile account recovery
Enabling biometric authentication on your mobile device's settings, then enabling the account recovery feature in the LastPass Password Manager app for iOS or Android.

Account recovery process from a computer

  1. A user logs in to the LastPass browser extension, which creates a Recovery One Time Password.
  2. The Recovery One Time Password is used to encrypt the Decryption Key (shown as "Derive Key" in the diagram below).
  3. The encrypted Decryption Key is sent and stored on a LastPass server.
  4. Account recovery is initiated by the user by doing the following:
    1. A user navigates to https://lastpass.com/recover.php, then enters their LastPass username (in email address format) and clicks Continue.

      • If SMS account recovery has been set up, LastPass sends a 6-digit verification code to the user's mobile device. They can enter the code and click Verify.
      • If SMS account recovery has not been set up, an email is sent to the user with a link to activate account recovery.
        Note: If a security email address has been set up, the email will be sent there. If not, it will be sent to the account email address.

  5. Upon activation, the Decryption Key is sent from a LastPass server to the user's web browser.
  6. The account recovery webpage will look for a Recovery One Time Password stored to the browser that is being used during this process.
  7. If a Recovery One Time Password is available, it will be used to decrypt the Decryption Key.
  8. The Decryption Key is then used to decrypt the user's LastPass Vault.
  9. Once the user's Vault has been decrypted, the user is prompted to change their Master Password.

    Result: The user has reset their Master Password using a Recovery One Time Password on their computer.

Account recovery process from a mobile device

  1. The user enables biometrics (facial recognition or fingerprint identification) within their mobile device's settings.
  2. The user enables account recovery using biometrics in the LastPass Password Manager app for iOS or Android.
  3. If the user forgets their Master Password, they can start the account recovery process using biometrics based on their device:

    Result: The user has reset their Master Password using mobile account recovery.