LastPass

LastPass password manager users have been experiencing significant login issues starting early May after being prompted to reset their authenticator apps.

The company first announced that users might need to log back into their LastPass account and reset their multifactor authentication preference due to planned security upgrades on May 9.

However, since then, numerous users have been locked out of their accounts and unable to access their LastPass vault, even after successfully resetting their MFA applications (e.g., LastPass Authenticator, Microsoft Authenticator, Google Authenticator).

Compounding the problem, affected customers cannot seek assistance from support since reaching out to LastPass support requires logging into their accounts which they can't do because they're locked in an infinite loop of being prompted to reset their MFA authenticator.

LastPass authenticator reset prompts
LastPass authenticator reset prompts (LastPass)

"The forced re-sync of MFA is now preventing me from logging in because LastPass won't recognise the new MFA code," one user said.

"After resetting my MFA I completely lost access to my Vault. MasterPW is not working and resetting as well as the reset eMail never gets delivered to me. Cannot contact my 'Premium' Support as a Login is required," another one added.

"I was prompted to reenter master password then forced to update MFA, which I did successfully, and now I'm not able to login at all. I can't even open a support ticket because you need to log in in order to do so," one user said, asking for help on the LastPass community website.

LastPass says the MFA resets were announced via in-app messages for "several weeks" before the initial announcement.​

LastPass tweet reply

This has prodded LastPass to release several advisories about the security upgrades explaining that this is being done to increase password iterations to the new default of 600,000 rounds

"To increase the security of your master password, LastPass utilizes a stronger-than-typical version of Password-Based Key Derivation Function (PBKDF2)," explains a LastPass support bulletin sent to impacted users.

"At its most basic, PBKDF2 is a 'password-strengthening algorithm' that makes it difficult for a computer to check that any 1 password is the correct master password during a compromising attack."

"The forced logout + MFA resync events are taking place as we increase all customer's password iterations. This has to do with the encryption of your LastPass Vault," the company tweeted.

In another advisory, the company says users are prompted to re-enroll in multifactor authentication for their security when logging in to LastPass.

"You must log in to the LastPass website in your browser and re-enroll your MFA application before you can access LastPass on your mobile device again. You cannot re-enroll using the LastPass browser extension or the LastPass Password Manager app," the company explains.

The detailed procedure required to reset the pairing between LastPass and the authenticator app (LastPass Authenticator, Microsoft Authenticator, or Google Authenticator) is described in detail in this support document.

The next time you log in to a website or an app using LastPass, you will be prompted to verify your location. When you log in to a website or an app where you used LastPass to log into, you must enter your credentials again and authenticate using your authenticator app.

Users will also be asked to verify their location the next time they log into a website or app using LastPass as an additional security measure.

As part of the same process, users will be required to re-enter their login credentials and authenticate themselves again using their authenticator app.

"Following the 2022 incidents, we sent email and in-product communications to our customer base recommending that they reset their MFA secrets with their preferred Authenticator App as a precautionary measure. This recommendation was also included in the Security Bulletins that we sent to our B2C and B2B customers in early March and a second email communication in early April," a LastPass spokesperson told BleepingComputer.

"However, a subset of our customers still have not taken this action, so we have been prompting them to take action upon their next log-in to LastPass. We started this in-product prompt back in early June in the hopes that it would get a greater response than our emails."

These issues come after LastPass disclosed a security breach in December 2022 after threat actors stole a large amount of partially encrypted customer information and password vault data.

The December breach resulted from another breach from August 2022, with the attackers gaining access to the company's encrypted Amazon S3 buckets using stolen data from the first breach.

Related Articles:

Hackers abused API to verify millions of Authy MFA phone numbers

Scathing report on Medibank cyberattack highlights unenforced MFA

Microsoft: New Outlook security changes coming to personal accounts

How to meet evolving MFA demands in the current threat landscape

AWS adds passkeys support, warns root users must enable MFA