2. If you lose your 2FA/MFA device and you do not have access to your email, you can open a support ticket and LastPass support can disable 2FA/MFA on your account so you can sign in to LastPass.
I think that, based on current complaints in the "Check your Inbox..." thread, #1 should read:
... using your Security Email or, if not configured, your login email ...
The question I have then is what role does the "SMS Account Recovery Phone Number" play in all this?
Hi @markmedici,
Specifically The LastPass Authenticator cannot be disabled via email. To access your account, you would then use SMS account recovery to log in, then disable multifactor authentication for your device. If SMS recovery had not previously been set up, you would need to then contact LastPass support to assist with disabling LastPass Authenticator for the account.
I have all my browsers set to clear the cache when I quit the browser, for security reasons. (I accept that this means I have to do inconvenient things like repeat two-factor authentication when logging into websites that use it.) Am I right that this also means that I'll never have a LastPass one-time password available for recovery if I forget my master password?
Edit:
@RachelO answered this here:
My follow-up question still stands:
I don't believe that any major browsers currently allow for exceptions to clearing the cache. Please let me know if I'm wrong.
Thanks.
@RachelO @, thanks for your reply to @minsik. I have the same situation. I have all my browsers configured to delete all history & clear the cache every time I quit, which I believe is a best practice for privacy & security as well as performance. Using an extra browser just for this makes sense -- I just have to remember to log on there occasionally.
I hope that eventually browsers will allow exceptions to cache clearing, just as they currently allow exceptions to cookie deletion.
@CeliaA There are other less drastic ways to handle security and privacy
That being said, there is more than one recovery option available, you just need to set them up. Security and privacy is very important and should be taken very seriously, but it is up to the individual to select the balance with convenience that they are comfortable with.
To reply to @GlennD's original question about how many recovery options I have enabled...
I don't have the mobile biometric option enabled, because fingerprint readers can never read my fingerprints, and Android's facial recognition is lame and easily defeated with a photo (unlike Apple's 3D functionality).
So far, I haven't dared set up 2FA on LP, for the same reason others have given.
I will start making sure I have a recovery One Time Password on each of my computers, now that I have @RachelO 's advice to set it up using a browser that I don't use for anything else, so that I can continue clearing the cache of my "real" browsers every time I close them.
I have taken the risk of giving a trusted person a print-out of my LP password. Maybe I'll give a different trusted person a print-out of the PW to my recovery email account, just in case the first trusted person and I are both in an accident, I get hit on the head and forget both passwords, and the first trusted person is in a coma and can't give me my LP PW. Oh, and both my computers and my phone's SIM card are all destroyed in the accident, too. Yeah, I think that would cover it. I just have to make sure that my first and second trusted people are never both with me at the same time. 😜
Hi @CeliaA
I merged your post with the main discussion around this topic so that the information is not split over multiple posts.
The simple answer is yes, if you clear your browser cache the information used for that form of account recovery will be deleted and you would not be able to use that recovery method if you forgot your master password. A new recovery one-time password would be created the next time you successfully signed in through the browser extension, but if you had a password issue you would have to keep trying until you entered the master password correctly.
Rather than printing out your passwords you could use the Emergency Access feature to give a trusted friend access if anything happened to you. For security I would encourage you to set up MFA on your account. Yes, you potentially could lose your phone, but there options for when that happens and as long as you still know your Master Password our Support can let you by pass that step and sign in.
@GlennD wrote
"Rather than printing out your passwords you could use the Emergency Access feature to give a trusted friend access if anything happened to you. For security I would encourage you to set up MFA on your account. Yes, you potentially could lose your phone, but there options for when that happens and as long as you still know your Master Password our Support can let you by pass that step and sign in."
I think Emergency Access is an interesting premium feature but its scope is different than printing out the password list or backing it up offline or elsewhere.
If I got it right, Emergency Access allows a trusted person to access your vault using their own login, after the wait time if any. I guess that could be useful in case of temporary problems but even in case of illness or death, so that your family or friend will be able to access your data when you are not around.
Printing / backing up on the other hand also covers the case that something happens to the LastPass account itself, caused either by user error, system error or whatever the cause.
Hi,
thanks for your post. I got the instruction from Support team. I have to answer a long list of question before Lastpass can disable the 2FA.
*post edited by moderator to remove external link