Since the beginning of May, users of the LastPass password manager have been confronted with significant login issues after being prompted to reset their authenticator apps.
On May 9, the company made the initial announcement that due to planned security upgrades, users might need to log back into their LastPass accounts and reset their multifactor authentication preference.
However, even after successfully resetting their MFA applications (such as LastPass Authenticator, Microsoft Authenticator, and Google Authenticator), numerous users have been locked out of their accounts and unable to access their LastPass vaults since then.
To make matters worse, affected customers are unable to get in touch with support because doing so requires logging into their accounts, which they are unable to do because they are stuck in an endless loop of being asked to reset their MFA authenticator.
One user stated, “LastPass won’t recognize the new MFA code, so the forced re-sync of MFA is now preventing me from logging in.”
“I lost all access to my vault after resetting my MFA. MasterPW is not functioning properly, and the reset email never reaches me. “Cannot get in touch with my “Premium” Support because I need to log in,” added another.
“I was forced to update MFA after being prompted to reenter my master password, which I did successfully, but now I am unable to login at all.” On the LastPass community website, a user posted, “I can’t even open a support ticket because you need to log in to do so,” in an attempt to obtain assistance.
“Several weeks” prior to the initial announcement, LastPass claims that the MFA resets were made public via in-app messages.
A LastPass support bulletin sent to affected users explains that this is being done “To increase the security of your master password, LastPass utilizes a stronger-than-typical version of Password-Based Key Derivation Function (PBKDF2).” This has prompted LastPass to issue several advisories regarding the security upgrades. These advisories explain that this is being done to increase password iterations to the new default of 600,000 rounds.
“At its most fundamental, PBKDF2 is a “password-strengthening algorithm” that makes it difficult for a computer to verify that any one password is the correct master password during a breach.”
“As we increase the number of password iterations for each customer, the forced logout and MFA resync events are occurring. The encryption of your LastPass Vault is the cause of this, “the company tweeted.
The company states that when logging into LastPass, users will be prompted to re-enroll in multifactor authentication for their own security.
“Before you can access LastPass on your mobile device again, you must log in to the LastPass website using your browser and re-enroll your MFA application. “The LastPass Password Manager app or browser extension cannot be used to re-enroll,” the company explains.
This support document provides a thorough explanation of the steps needed to reset the pairing between LastPass and the authenticator app (LastPass Authenticator, Microsoft Authenticator, or Google Authenticator).
You will be asked to verify your location the following time you use LastPass to log in to an app or website. If you used LastPass to log in to a website or app, you will need to re-enter your credentials and use your authenticator app to authenticate.
As an additional security measure, users who use LastPass will be required to verify their location the following time they log in to a website or application.
Users will have to re-enter their login information and re-authenticate themselves using their authenticator app as part of the same procedure.
“In the wake of the incidents in 2022, we advised our customers to reset their MFA secrets using their preferred Authenticator App as a preventative measure through email and in-product communications. A spokesperson for LastPass told BleepingComputer that this recommendation was also included in the Security Bulletins that we sent to our B2B and B2C customers at the beginning of March as well as a second email communication at the beginning of April.
“However, a subset of our customers has not yet done this, so we have been reminding them to do so each time they log in to LastPass again. We started this in-product prompt at the beginning of June with the intention of getting more responses than our emails.
These issues arise after threat actors stole a significant amount of partially encrypted customer information and password vault data from LastPass in December 2022.
The attackers used stolen data from the initial breach to gain access to the company’s encrypted Amazon S3 buckets, which led to the December breach. This breach occurred in August 2022.