Quick poll: How many recovery options do you have enabled?
Account recovery is something you hope you will never have to use, but if for some reason you are unable to correctly enter you Master Password one day you will need it. The good news is there is more than one recovery method, but you have to set them up now while you are able to sign in successfully.
The most commonly used recovery option is through the browser extensions, but this should be seen as the last option and not the main one you rely on. This method is dependent on a special recovery one-time password that is generated when you sign-in to the extension successfully and stored in your web browser. However, if for any reason you clear your browser cache it will be deleted until you sign-in successfully again.
Pro Tip: If you have more than one web browser on your computer, install the LastPass extension on all of them and sign-in to them multiple times, that way if your main browser loses it's recovery one-time password you have a back up option with the other browser you do not normally use.
This support article explains how to set up all of the available recovery options, if you have not gotten around to setting any up yet why not take some time now? How do I set up all account recovery options for LastPass?
Remember, LastPass Customer Care has no knowledge of a user's Master Password. It is not possible for LastPass Customer Care to reset or change a user's Master Password if it is forgotten.
Please note if you are a LastPass Free customer:
LastPass Free customers that select mobile as their device type can still use the browser extensions for account recovery and other account settings, they just do not have access to their vault through the extension. In the same way, customers that select desktop as their device can still use the mobile app for account recovery.
2. If you lose your 2FA/MFA device and you do not have access to your email, you can open a support ticket and LastPass support can disable 2FA/MFA on your account so you can sign in to LastPass.
I think that, based on current complaints in the "Check your Inbox..." thread, #1 should read:
... using your Security Email or, if not configured, your login email ...
The question I have then is what role does the "SMS Account Recovery Phone Number" play in all this?
Specifically The LastPass Authenticator cannot be disabled via email. To access your account, you would then use SMS account recovery to log in, then disable multifactor authentication for your device. If SMS recovery had not previously been set up, you would need to then contact LastPass support to assist with disabling LastPass Authenticator for the account.
I have all my browsers set to clear the cache when I quit the browser, for security reasons. (I accept that this means I have to do inconvenient things like repeat two-factor authentication when logging into websites that use it.) Am I right that this also means that I'll never have a LastPass one-time password available for recovery if I forget my master password?
@RachelO answered this here:
My follow-up question still stands:
I don't believe that any major browsers currently allow for exceptions to clearing the cache. Please let me know if I'm wrong.
@RachelO @, thanks for your reply to @minsik. I have the same situation. I have all my browsers configured to delete all history & clear the cache every time I quit, which I believe is a best practice for privacy & security as well as performance. Using an extra browser just for this makes sense -- I just have to remember to log on there occasionally.
I hope that eventually browsers will allow exceptions to cache clearing, just as they currently allow exceptions to cookie deletion.
@CeliaA There are other less drastic ways to handle security and privacy
That being said, there is more than one recovery option available, you just need to set them up. Security and privacy is very important and should be taken very seriously, but it is up to the individual to select the balance with convenience that they are comfortable with.
To reply to @GlennD's original question about how many recovery options I have enabled...
I don't have the mobile biometric option enabled, because fingerprint readers can never read my fingerprints, and Android's facial recognition is lame and easily defeated with a photo (unlike Apple's 3D functionality).
So far, I haven't dared set up 2FA on LP, for the same reason others have given.
I will start making sure I have a recovery One Time Password on each of my computers, now that I have @RachelO 's advice to set it up using a browser that I don't use for anything else, so that I can continue clearing the cache of my "real" browsers every time I close them.
I have taken the risk of giving a trusted person a print-out of my LP password. Maybe I'll give a different trusted person a print-out of the PW to my recovery email account, just in case the first trusted person and I are both in an accident, I get hit on the head and forget both passwords, and the first trusted person is in a coma and can't give me my LP PW. Oh, and both my computers and my phone's SIM card are all destroyed in the accident, too. Yeah, I think that would cover it. I just have to make sure that my first and second trusted people are never both with me at the same time. 😜
I merged your post with the main discussion around this topic so that the information is not split over multiple posts.
The simple answer is yes, if you clear your browser cache the information used for that form of account recovery will be deleted and you would not be able to use that recovery method if you forgot your master password. A new recovery one-time password would be created the next time you successfully signed in through the browser extension, but if you had a password issue you would have to keep trying until you entered the master password correctly.
Rather than printing out your passwords you could use the Emergency Access feature to give a trusted friend access if anything happened to you. For security I would encourage you to set up MFA on your account. Yes, you potentially could lose your phone, but there options for when that happens and as long as you still know your Master Password our Support can let you by pass that step and sign in.
"Rather than printing out your passwords you could use the Emergency Access feature to give a trusted friend access if anything happened to you. For security I would encourage you to set up MFA on your account. Yes, you potentially could lose your phone, but there options for when that happens and as long as you still know your Master Password our Support can let you by pass that step and sign in."
I think Emergency Access is an interesting premium feature but its scope is different than printing out the password list or backing it up offline or elsewhere.
If I got it right, Emergency Access allows a trusted person to access your vault using their own login, after the wait time if any. I guess that could be useful in case of temporary problems but even in case of illness or death, so that your family or friend will be able to access your data when you are not around.
Printing / backing up on the other hand also covers the case that something happens to the LastPass account itself, caused either by user error, system error or whatever the cause.