What is the difference between a One Time Password and a Recovery One Time Password?
We understand it can be confusing – after all, they are both passwords that can only be used once! These two types of passwords are different in terms of how they are created, and how they are used.
What is a one-time password?
A one-time password is something you generate after you have logged in to your account, and is something you can write down. Please be aware that one-time passwords are not sent via email or Customer Care, they are generated directly by you.
To use the one-time passwords, you generate a list of temporary passwords ahead of time, and cross them off (if they are printed or stored elsewhere) as they are used each time you log in to your account. You can also invalidate OTPs if you are concerned that they have become compromised. Please note that you can only log in with a one-time password from the one-time password login page at https://lastpass.com/otp.php.
Generating one-time password(s) does not invalidate or replace your existing Master Password – it just provides a single-use password to be used to log in via the one-time password login page. If you lose your list of OTPs, you can still log in as usual with your Master Password, but you cannot log in to the one-time password login page with your Master Password. Additionally, you are not able to export your LastPass Vault if you log in using a one-time password.
While you can use One Time Passwords to log in to your LastPass Vault, they are primarily used for when you have to log in to an untrusted or public computer.
What is a Recovery One Time Password?
A Recovery One Time Password is something that is created for you automatically when you log in to LastPass via the web browser extension, and is not something you can write down.
When you log in to the LastPass web browser extension on multiple browsers and devices that you trust, you create a Recovery One Time Password on each browser and device. This means that if you ever make a change to your LastPass account that causes your Vault to be re-encrypted, the Recovery One Time Password will become invalidated on that device, but you could still reset your Master Password from another device where you had logged in to the LastPass web browser extension. Here are some actions that would cause your Recovery One Time Password to be lost or invalidated:
- Changing your Master Password on a mobile device (invalidates ALL Recovery One Time Passwords stored in your web browsers)
- Uninstall/reinstall of the LastPass web browser extension
- Disabling the LastPass web browser extension
- Clearing your LastPass cache
- Reformatting your computer
- Unintentional corruption of your encrypted Vault cache (this is rare, but can be caused by other programs on your machine)
The Recovery One Time Password is used as a means of recovery to allow you to gain access to your LastPass Vault if your Master Password is ever forgotten.