What is the difference between a One Time Password and a Recovery One Time Password?
We understand it can be confusing – after all, they are both passwords that can only be used once! These two types of passwords are different in terms of how they are created, and how they are used.
What is a one-time password (OTP)?
A one-time password is something you generate after you have logged in to your account, and is something you can write down. Please be aware that one-time passwords are not sent via email or LastPass Support, they are generated directly by you.
To use the one-time passwords, you generate a list of temporary passwords ahead of time, and cross them off (if they are printed or stored elsewhere) as they are used each time you log in to your account. You can also invalidate OTPs if you are concerned that they have become compromised. Please note that you can only log in with a one-time password from the one-time password login page at https://lastpass.com/otp.php.
Generating one-time password(s) does not invalidate or replace your existing master password – it just provides a single-use password to be used to log in via the one-time password login page. If you lose your list of OTPs, you can still log in as usual with your master password, but you cannot log in to the one-time password login page with your master password. Additionally, you are not able to export your LastPass Vault if you log in using a one-time password.
While you can use One Time Passwords to log in to your LastPass Vault, they are primarily used for when you have to log in to a public or untrusted computer.
What is a Recovery One Time Password (ROTP)?
A Recovery One Time Password is something that is created for you automatically when you log in to LastPass via the web browser extension and/or online web Vault (i.e., the LastPass website), and is not something you can write down.
When you log in to the LastPass from your desktop on multiple browsers and devices that you trust, you create a Recovery One Time Password on each browser and device. This means that if you ever make a change to your LastPass account that causes your Vault to be re-encrypted, the Recovery One Time Password will become invalidated on that browser & device combination, but you could still reset your master password from another browser & device combination.
The Recovery One Time Password is used as a means of recovery to allow you to gain access to your LastPass Vault if your master password is ever forgotten.