HELP FILE

I am locked out because I can't disable Multifactor Authentication for LastPass

If your phone number has changed or the mobile device you used for authentication is lost, you should immediately disable Multifactor Authentication for your device (via email) so that you can log in and access your LastPass account.

The LastPass Authenticator cannot be disabled via email . To access your account, you can use SMS account recovery to log in, then disable Multifactor Authentication for your device. If SMS recovery had not previously been set up, please contact Customer Care by clicking a contact option at the bottom of the article.

However, if you are a LastPass user whose company set up an account for you (i.e., a business account using LastPass Teams, Enterprise, or Identity), your account may have policies enforced that prevent disabling Multifactor Authentication via email and/or require Multifactor Authentication in order for you to access your LastPass account. This means that you must contact your LastPass admin to assist with temporarily excluding you from these policies (so that you can log in to your account), then re-enable the policies for you once again.

If this sounds like your situation, you can contact your LastPass admin and provide them a link to this article, which outlines instructions for them.

Instructions for LastPass admins

If you have the "Require use of any MFA option" or "Require use of <specific authenticator>" policy (for Teams, the policy is called "Multifactor Authentication") enabled for your users, you can exclude the locked out user temporarily from the policy, then disable Multifactor Authentication for the user so that your user can log in and access their Vault. Once confirmed they have logged in, you can re-enable the policy for your user.

Step #1: Temporarily disable the policy for the locked out user

Instead of disabling the policy for all users, you can exclude your locked out user temporarily.

  1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
  2. Go to SettingsPolicies in the left navigation.
    • For LastPass Enterprise and Identity accounts – Locate the "Require use of MFA option" or "Require use of <specific authenticator" policy and click Edit.
    • For LastPass Teams accounts – Locate "Multifactor Authentication" and click Edit details.
  3. Click to enable the radio button for Exclusive list of users.
    • For LastPass Enterprise and Identity accounts – Click Edit Users.
    • For LastPass Teams accounts – Click Edit details.
  4. Enter the username of your locked out user, then click Save.
  5. Click Save to save your changes to the policy.

Step #2: Disable Multifactor for the locked out user

  1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
  2. Click Users in the left menu.
  3. Click to select your desired user.
  4. Click the More icon Elipsis in the upper-right corner.
  5. Click Disable multifactor.
  6. When prompted, click OK.

Step #3: Confirm that the user can log in and access their Vault

You can now inform your user that they can log in to LastPass to access their Vault.

Step #4: Re-enable the policy for the user

Once your user has logged in, you can remove the user from the Exclusive list of users for your policy as follows:

  1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
  2. Go to SettingsPolicies in the left navigation.
  3. Locate the policy you recently changed and click Edit.
  4. Click to enable the radio button for All.
  5. Click Save.

Related

I lost my phone! How do I disable Multifactor Authentication for LastPass?