Anger Erupts Among LastPass Users as MFA Resets Cause Lockouts
LastPass users have been facing significant login difficulties since early May when they were prompted to reset their authenticator apps, causing frustration among the user base.
The company initially announced that users would need to log back into their LastPass accounts and reset their multifactor authentication (MFA) due to planned security upgrades.
However, numerous users have since found themselves locked out of their accounts, unable to access their LastPass vault, even after successfully resetting their MFA applications such as LastPass Authenticator, Microsoft Authenticator, or Google Authenticator.
Adding to the problem, affected customers are unable to seek support as contacting LastPass support requires logging into their accounts, which they cannot do due to being trapped in an endless loop of MFA reset prompts.
“I am now unable to log in because LastPass doesn’t recognize the new MFA code after the forced re-sync of MFA,” complained one user.
“After resetting my MFA, I completely lost access to my Vault. The master password is not working, and the password reset email never reaches me. I can’t even contact ‘Premium’ Support as it requires a login,” added another frustrated user.
LastPass claims that the MFA resets were communicated through in-app messages for “several weeks” prior to the initial announcement.
LastPass has issued several advisories about the security upgrades, explaining that the purpose is to increase password iterations to the new default of 600,000 rounds, enhancing the security of users’ master passwords.
As part of this process, LastPass users are required to re-enroll in multifactor authentication for security purposes when logging in. The procedure to reset the pairing between LastPass and the authenticator app is detailed in a support document provided by the company.
Users will also encounter prompts to verify their location and re-enter their login credentials when using LastPass for website or app logins as an additional security measure.
LastPass has stated that the prompt to reset MFA was initiated in early June to encourage users who had not yet taken action following the 2022 security breach to reset their MFA secrets with their preferred authenticator app.
These login issues come after LastPass experienced a security breach in December 2022, where threat actors gained access to partially encrypted customer information and password vault data. The breach was a result of a previous incident in August 2022, where attackers used stolen data to access LastPass’s encrypted Amazon S3 buckets.