Some LastPass users are locked out of their accounts after trying to reset their authenticator app

Password management service LastPass started to prompt its customers to reset their two-factor authentication method on May 9th, 2023. The company upgraded account security at the time by raising the number of password iterations to 600,000 rounds.

The increased number of iterations improves the protection of customer's master password, effectively making it more difficult for attackers to discover the correct master password.

LastPass explains on a support page that it uses the "PBKDF2 function implemented with SHA-256 to turn the master password of its customers into the encryption key. The number of rounds are used to create the encryption key and another round ofPBKDF2 is done to create the login hash. This login hash is then submitted to LastPass and used to authenticate the customer.

The new default number of password iterations has been set to 600,000 for new accounts and for accounts that update the existing iteration count.

LastPass informed customers about the upcoming change in emails, but has since then also prompted users to reset their multifactor authentication preferences in the used applications.

At least some LastPass customers have found themselves in reset loops that they can't escape from. In the past couple of days, several LastPass customers posted on the official forum claiming that they can't open their vaults anymore after following the company's instructions to reset their multifactor authentication.

Users of LastPass who face the loop can't open official support tickets, as these can only be opened by signed-in users. Affected users posted messages on Twitter or the LastPass Support Discussions forum.

The majority of recent posts on the official support forum are about login issues after following reset instructions.

LastPass explains the entire resetting process on a support page. There, the company reveals important information about the process. LastPass customers need to log-in to the LastPass website in a web browser to reset the multifactor authentication security feature. Resetting does not work using the browser extensions or the LastPass mobile apps.

The following steps are required to reset the authentication method:

1. Activate the Continue button after logging in to LastPass. LastPass sends a six digit security code to the linked email address.
2. The code needs to be entered as part of the process. Select Verify to continue.
3. Open the authenticator application on the mobile device.
4. Scan the QR code displayed in the browser using the application to pair it. It may be necessary to select Replace or Remove to delete the old information.
5. Click Verify.
6. Log-in to LastPass and authenticate with the multifactor authentication app.

What LastPass fails to mention is that it is sending out a second email that asks users to verify their device and location. Customers need to follow the link in that email to verify the device and location. Failure to do so appears to prevent the successful login.

LastPass experienced a severe security breach in 2022 that led to the copying of user vault data and information by the attacker. LastPass customers were asked to change all their passwords, including their account master password.

The security upgrade improves security for all users and will make it difficult for attackers to decrypt stolen data. Some LastPass users switched to different password managers as a consequence.

Now You: do you use multifactor authentication? (via Bleeping Computer)

Source