The password manager 'LastPass' causes the user to be locked out of the account and unable to access the password information



The password manager

LastPass is having users locked out of their LastPass accounts. It seems that the cause was that the multi-factor authentication settings of the LastPass account had to be reset.

LastPass users furious after being locked out due to MFA resets
https://www.bleepingcomputer.com/news/security/lastpass-users-furious-after-being-locked-out-due-to-mfa-resets/



Some LastPass users are locked out of their accounts after trying to reset their authenticator app - gHacks Tech News
https://www.ghacks.net/2023/06/25/some-lastpass-users-are-locked-out-of-their-accounts-after-trying-to-reset-their-authenticator-app/

Around April 2023, LastPass reported that a security update scheduled for May 9, 2023 local time may require users to re-login to their accounts and reset their multi-factor authentication settings. Did.

However, since the security update on May 9th, users have been locked out of their accounts with multi-factor authentication applications such as LastPass Authenticator , Microsoft Authenticator , and Google Authenticator , even if they reset their settings correctly. There have been reports of users being unable to log into their accounts in LastPass.

This issue has also been reported on GoTo Community, LastPass's parent company's community forum.

Solved: Re: Authenticator Reset - GoTo Community
https://community.logmein.com/t5/LastPass-Support-Discussions/Authenticator-Reset/mp/305738



The community forum lists three possible solutions:

1:
Please check your email address for a confirmation email from LastPass to verify your IP address and new device. If any have expired, please try logging in again and send a new confirmation email.

2:
If you've been locked out of LastPass because you can't remember your account password, please contact Customer Support through this page .

3:
If you're locked out because you can't resync your multi-factor authentication, contact customer support through this page . Follow the work to do the resync by email.

In addition, the LastPass official explains that in order to solve the problem, ``It is necessary to log in to the official LastPass website from a browser and re-register the multi-factor authentication application''. The support page below has instructions on how to unpair from a multi-factor authentication application. Please note that it is not possible to re-enroll your multi-factor authentication application from the LastPass browser extension or the LastPass Password Manager app.

Why do I have to reset my authenticator app?
https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass%2Fwhy_do_i_have_to_reset_my_authenticator_app.html



Accounts of LastPass users who are experiencing the above issue will likely see the message 'Reset your authenticator app'.



Twitter user @clarbner said, ``Multi-factor authentication forced resync prevented me from logging into my account because LastPass didn't recognize the new verification code. Is it happening? This is clearly affecting many users, 'he reports that he is encountering a problem.




In response to a user's indication that ``the user should have been notified before the update,'' LastPass' Twitter account said, ``The in-app message has been displayed for several weeks, and the email was sent more than a month before the update. We apologize for not being able to clearly communicate the update to users who do not use the app and have unsubscribed from emails.'




Regarding the `` security update implemented on May 9 '' that caused this problem, LastPass explained that `` it was implemented to increase the default number of password repetitions to `` 600,000 ''.

In addition, LastPass states, ``To enhance the security of your master password, LastPass utilizes a stronger version of the password-based key derivation function (PBKDF2).'' ``The most basic PBKDF2 is It's a 'password-strength algorithm' that makes it difficult for a computer to verify that any one password is the correct master password.' A sync event is occurring, which is related to LastPass Vault encryption.'

When technology media outlet BleepingComputer reached out to LastPass for comment on the incident, a spokesperson for the company said, 'After the 2022 incident , we will notify customers via email and in-product communications as a preventive measure against account compromise.' “Multi-factor authentication using authenticator apps” was also included in the security bulletins sent to B2C customers, and B2B customers were notified once in early March on 4 We will notify you by email once at the beginning of the month,' he said.

A LastPass spokesperson said, ``However, some customers still haven't taken this action (resetting multi-factor authentication), so we are asking users who try to log into LastPass to perform a multi-factor authentication reset. We have been implementing notifications within the application since early June 2023, and we hope this will be effective.'

in Software,   Security, Posted by logu_ii