HELP FILE

I am locked out because I can't disable Multifactor Authentication for LastPass

If your phone number has changed or the mobile device you used for authentication is lost, you should immediately disable Multifactor Authentication for your device (via email) so that you can log in and access your LastPass account.

Attention: The LastPass Authenticator cannot be disabled via email. To access your account, you can use SMS account recovery to log in, then disable multifactor authentication for your device. If SMS recovery had not previously been set up, please contact Customer Care by navigating directly to this article and selecting a contact option at the bottom.
Note: The LastPass Authenticator cannot be disabled via email. To access your account, you can use SMS account recovery to log in, then disable Multifactor Authentication for your device. If SMS recovery had not previously been set up, please contact Customer Care (by selecting Contact Support at the bottom of this article) for additional assistance.

However, if you are a LastPass user whose company set up an account for you (i.e., LastPass Teams or LastPass Business account), your account may have policies enforced that prevent disabling Multifactor Authentication via email and/or require Multifactor Authentication in order for you to access your LastPass account. This means that you must contact your LastPass admin to assist with temporarily excluding you from these policies (so that you can log in to your account), then re-enable the policies for you once again.

If this sounds like your situation, you can contact your LastPass admin and provide them a link to this article, which outlines instructions for them.

Instructions for LastPass admins

If you have the "Require use of any MFA option" or "Require use of < specific authenticator >" policy (for Teams, the policy is called "Multifactor Authentication") enabled for your users, you can exclude the locked out user temporarily from the policy, then disable Multifactor Authentication for the user so that your user can log in and access their Vault. Once confirmed they have logged in, you can re-enable the policy for your user.

Step #1: Temporarily disable the policy for the locked out user

Instead of disabling the policy for all users, you can exclude your locked out user temporarily.

  1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
  2. Go to Settings > Policies > Multifactor.
    • For LastPass Business accounts – Locate the "Require use of MFA option" or "Require use of < specific authenticator" policy and click Edit details.
    • For LastPass Teams accounts – Locate "Multifactor Authentication" and click Edit details.
  3. Click to enable the radio button for Exclusive list of users.
    • For LastPass Business accounts – Click Edit details.
    • For LastPass Teams accounts – Click Edit details.
  4. Search for your desired users and/or groups, then select Add.
  5. Click Save to save your changes to the policy.

Step #2: Disable Multifactor for the locked out user

  1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
  2. Select Users in the left navigation.
  3. Check the box next to your desired user.
  4. Select More actions > Disable multifactor for selected users.
  5. Click OK to confirm.

You have disabled the multifactor authentication option for your selected user.

Step #3: Confirm that the user can log in and access their Vault

You can now inform your user that they can log in to LastPass to access their Vault. You can also advise the user that you will be re-enabling the policy and forcing them to log out of their LastPass account, and that when they log back in they will be prompted to set up Multifactor Authentication again.

Step #4: Re-enable the policy for the user

Once your user has logged in, you can remove the user from the Exclusive list of users for your policy as follows:

  1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
  2. Go to Settings > Policies > Multifactor .
  3. Locate the policy you recently changed and click Edit details.
  4. Click to enable the radio button for All.
  5. Click Save.

Your user has been added back to your selected Multifactor Authentication policy.

Step #5: Force the user to log out of all LastPass sessions to force Multifactor Authentication setup again (optional)

Now that the policy has been reinforced, if desired you can force the user to log out of all LastPass sessions, and the next time they log in to LastPass they will be prompted to set up Multifactor Authentication again.

  1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
  2. Select Users in the left navigation.
  3. Go to More actions > Destroy all sessions for selected users.
  4. Click OK to confirm.

Your user is now logged out of all LastPass sessions, and the next time they log in to LastPass they will be prompted to set up Multifactor Authentication again.