Many users are locked out of LastPass after authenticator app reset
The support forums of password management tool LastPass are filling up with complaints from confused and disgruntled users who found themselves locked out of their accounts. The problems stem from a forced authenticator app reset implanted by the company following a series of security incidents last year.
Starting last month, LastPass forcibly logged out users and required them to reset their multifactor authentication (MFA) apps such as Google Authenticator and Microsoft Authenticator. But having followed the instructions given by the company, large numbers of users report that they are unable to access their LastPass vaults after being locked out their accounts.
- Microsoft updates Windows 11 system requirements and CPU support list
- Microsoft rethinks replacing Mail and Calendar apps with Outlook for Windows
- Microsoft listens to feedback and restores options it cut from Windows 11
LastPass started to notify users via email in early May about the need to reset their MFA apps, followed by in-app notifications a little later. The problems started shortly after, and have gradually affected more and more users.
In resynchronizing MFA data, as part of the reset process, users have found that LastPass does not recognize new MFA codes and they are therefore unable to access their accounts. Master passwords -- usually regarded as the safety net -- are also not working, and attempts to reset passwords are proving unsuccessful.
There is a great deal of frustration among the LastPass userbase because in order to access support, user must be logged into their accounts. This is something that is simply not possible because, as reported by Bleeping Computer, users find that they are thrown into, "an infinite loop of being prompted to reset their MFA authenticator".
LastPass has a support document on its website that details how the reset process works -- or at least how it should work. Failure to follow the instructions to the letter can result in accounts becoming inaccessible, as can be seen from the number of complaints in the LastPass forums. With some users saying they did not receive -- or did not see -- an email explaining the process, many were left to guess how to go about things, resulting lock-outs for many.
But for those who remain locked out of their accounts, it is not really clear what happens next. In a statement to Bleeping Computer, LastPass says:
Following the 2022 incidents, we sent email and in-product communications to our customer base recommending that they reset their MFA secrets with their preferred Authenticator App as a precautionary measure. This recommendation was also included in the Security Bulletins that we sent to our B2C and B2B customers in early March and a second email communication in early April.
The spokesperson added: "However, a subset of our customers still have not taken this action, so we have been prompting them to take action upon their next log-in to LastPass. We started this in-product prompt back in early June in the hopes that it would get a greater response than our emails".