LastPass Users Can’t Login to App after Resetting MFA

Since May 2023, users of the LastPass password manager have been experiencing severe login issues after resetting their MFA.

It all started when people were asked to reset multi-factor authentication (MFA) applications. The fact is that users are required to re-login to their LastPass account and reset the MFA after the company was hacked at the end of last year. And by the way, we also talked that LastPass Breach Investigation Goes On, Things are Even Worse.

Let me remind you that media also wrote that Hackers Broke into the Home PC of the Developer of the LastPass Password Manager and Penetrated the Company’s Cloud Storage, and also that Hunter Biden’s top-secret laptop was protected with a simple password.

The new security measures that will be introduced as part of the planned improvements in this area were announced by the company on May 9th.

Reset MFA in LastPass

As a result, many users were off their accounts and lost access to the LastPass vault, even after successfully resetting MFA apps (eg LastPass Authenticator, Microsoft Authenticator, Google Authenticator).

The problem is exacerbated by the fact that victims cannot even contact LastPass support for help, since it requires logging into their account, and people are locked in an endless loop where they are prompted to reset the MFA.

Reset MFA in LastPass

Forced MFA resync now prevents me from logging in because LastPass doesn’t recognize the new MFA code.says one affected user.
After resetting the MFA, I completely lost access to my storage. The master password does not work, the reset does not work, and even the reset email does not come at all.writes another.
I was prompted to re-enter the master password, then I was forced to reset the MFA, which I successfully did, and now I cannot log in. I can’t even contact support because I need to be logged in to do it.complains another victim.

At the same time, LastPass developers report that they warned about the upcoming reset of the MFA through messages in the application “several weeks” before the start.

Since the warnings clearly didn’t work, the company is now issuing security patch newsletters explaining to users that these changes are necessary to increase the password iterations to the new default value of 600,000.

To increase the security of your master password, LastPass uses a stronger version of the Password-Based Key Derivation Function (PBKDF2). At its core, PBKDF2 is a “password strengthening algorithm” that makes it difficult for a computer to verify that any 1 password is the correct master password during a compromising attack.the developers explain in a bulletin sent to affected users.
Forced logout + MFA resync happens as we increase the number of password iterations for clients. This is due to the encryption of your LastPass vault.the company adds on Twitter.

In another newsletter, the company says users need to re-enable multi-factor authentication to stay secure when logging into LastPass.

You must log into the LastPass website in your browser and re-register your MFA app before you can access LastPass on your mobile device again. You cannot reconnect using the LastPass browser extension or the LastPass Password Manager app.the developers explain.

The entire procedure required to reset the pairing between LastPass and an authenticator app (LastPass Authenticator, Microsoft Authenticator, or Google Authenticator) is now detailed in a separate document.

As part of security enhancements, users are now prompted to verify their location when they sign in to a website or app using LastPass. Also, if you sign in to a site or app that used LastPass to sign in, you’ll need to re-enter your credentials and authenticate with the authenticator app. The next time you sign in to a site or app using LastPass, you are asked to repeat the same process as an added security measure.

Following an incident in 2022, we sent email and in-product messages to our entire customer base recommending that they reset their MFA secrets with their preferred authenticator app as a precautionary measure. This recommendation was also included in the security bulletins we sent to our B2C and B2B customers in early March and follow-up emails in early April. However, some of our customers still haven’t completed these steps, so we’ve asked them to take action when logging into LastPass. We launched this built-in messaging product in early June in the hope that we would get more response than our emails.a LastPas spokesperson told Bleeping Computer.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *