LastPass, a password management service provider, implemented a faulty multi-factor authentication (MFA) measure in May that left multiple users logged out and unable to log back in.
The issue stems from LastPass’ MFA security settings in early May.The company notified users of a security upgrade on May 9, the user has been forced to log out first. Users must re-login to LastPass and reset the apps that want to receive MFA (such as LastPass Authenticator, Microsoft Authenticator, Google Authenticator, etc.).
Image source_LastPass
To reset MFA, LastPass sends an email to the user to verify the IP address or device. The problem is, after being logged out of LastPass, they cannot access their email inbox. Even if a user logs into their email account with a family member’s password and resets MFA, they are asked to reset MFA again. The user expressed disappointment that he continued to support LastPass when it leaked customer information in August last year, but this frustrating experience has made him ready to switch to other password management solutions. Another user described being stuck in the process of resetting the MFA. There are also some users who never received the MFA reset letter.
To make matters worse, many users can no longer log in to their LastPass account and want to contact technical support, but LastPass technical support must log in to LastPass to use it. Some users tried to leave a message for help from the official Twitter account, but there was no response.
A large number of LastPass users were locked out of their LastPass accounts and unable to use their password management vault due to being logged out of their accounts and constantly resetting the MFA requirements. In fact, after LastPass’ announcement on May 9, users complained of being locked out of their accounts until recently.
LastPass told “Bleeping Computer” that the latest MFA reset request is a security measure adopted by the service after a hack last August that leaked code, customer data, and password vault data.
In response to the issue of users being unable to log in, LastPass’ solution is to try to log in again to trigger a new verification letter if the MFA verification letter has expired. If you can’t log in because you forgot your LastPass account password, you can click the “Contact” button on the Reply to Master Password page to create a customer support ticket. For those who cannot log in due to the inability to synchronize MFA, LastPass recommends clicking the “Contact” button on this page to call and send a verification letter.