Jump to content
  • Some LastPass users are locked out of their accounts after trying to reset their authenticator app


    Karlston

    • 1 comment
    • 859 views
    • 4 minutes
     Share


    • 1 comment
    • 859 views
    • 4 minutes

    Password management service LastPass started to prompt its customers to reset their two-factor authentication method on May 9th, 2023. The company upgraded account security at the time by raising the number of password iterations to 600,000 rounds.

     

    The increased number of iterations improves the protection of customer's master password, effectively making it more difficult for attackers to discover the correct master password.

     

    LastPass explains on a support page that it uses the "PBKDF2 function implemented with SHA-256 to turn the master password of its customers into the encryption key. The number of rounds are used to create the encryption key and another round ofPBKDF2 is done to create the login hash. This login hash is then submitted to LastPass and used to authenticate the customer.

     

    The new default number of password iterations has been set to 600,000 for new accounts and for accounts that update the existing iteration count.

     

    LastPass informed customers about the upcoming change in emails, but has since then also prompted users to reset their multifactor authentication preferences in the used applications.

     

    At least some LastPass customers have found themselves in reset loops that they can't escape from. In the past couple of days, several LastPass customers posted on the official forum claiming that they can't open their vaults anymore after following the company's instructions to reset their multifactor authentication.

     

    Users of LastPass who face the loop can't open official support tickets, as these can only be opened by signed-in users. Affected users posted messages on Twitter or the LastPass Support Discussions forum.

     

    The majority of recent posts on the official support forum are about login issues after following reset instructions.

     

    LastPass explains the entire resetting process on a support page. There, the company reveals important information about the process. LastPass customers need to log-in to the LastPass website in a web browser to reset the multifactor authentication security feature. Resetting does not work using the browser extensions or the LastPass mobile apps.

     

    The following steps are required to reset the authentication method:

     

    1. Activate the Continue button after logging in to LastPass. LastPass sends a six digit security code to the linked email address.
    2. The code needs to be entered as part of the process. Select Verify to continue.
    3. Open the authenticator application on the mobile device.
    4. Scan the QR code displayed in the browser using the application to pair it. It may be necessary to select Replace or Remove to delete the old information.
    5. Click Verify.
    6. Log-in to LastPass and authenticate with the multifactor authentication app.

     

    What LastPass fails to mention is that it is sending out a second email that asks users to verify their device and location. Customers need to follow the link in that email to verify the device and location. Failure to do so appears to prevent the successful login.

     

    LastPass experienced a severe security breach in 2022 that led to the copying of user vault data and information by the attacker. LastPass customers were asked to change all their passwords, including their account master password.

     

    The security upgrade improves security for all users and will make it difficult for attackers to decrypt stolen data. Some LastPass users switched to different password managers as a consequence.

     

    Now You: do you use multifactor authentication? (via Bleeping Computer)

     

     

     

    Source


    User Feedback

    Recommended Comments

    A password manager saving the data locally (with backupS) sounds a lot better.

    Saving on the cloud is likely more convenient when multiple devices are used, but with the risk of breaches (of the wellknown services such as lastpass) and not being able to access the data.

    Edited by mp68terr
    Link to comment
    Share on other sites




    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...