Following a series of planned security upgrades, thousands of LastPass users have been locked out of their accounts since May after being asked to reset their authentication app

As reported by BleepingComputer, the company announced earlier this year that users of its password manager would need to re-log into their accounts and reset their multi-factor authentication (MFA) settings

While this sounds simple on paper, many LastPass users have been locked out of their accounts and unable to access LastPass vaults This occurred even after a successful reset of the MFA application used with LastPass Authenticator, Microsoft Authenticator, Google Authenticator, or Password Manager

To make matters worse, LastPass customers who have been locked out of their accounts cannot ask the company for help, as they must be logged into their LastPass account to contact the LastPass support team

This change came as a surprise to many LastPass users, but according to the company, the need to reset the MFA was announced through the app "weeks" before the initial announcement

While LastPass users may be frustrated that they no longer have access to their vault and the credentials stored in it, the company in several advisories explained that the change was made to increase the number of password iterations to the new default of 600,000 The company explains that this was done

For example, in a support bulletin, LastPass explains that it now uses a "stronger than usual version of the password-based key derivation function (PBKDF2)" to further increase the security of users' master passwords

This "password-strengthening algorithm" also makes it more difficult for a compromised computer to verify whether a given password is the user's correct master password during a cyber attack Thus, the reason for LastPass' MFA resynchronization was to improve vault encryption while increasing the number of password iterations for each customer

Improvements to keep passwords more secure are always welcome for the best password management tools, but if these upgrades make it impossible to log back into an account and nearly impossible to access credentials, While designed to make the platform more secure, it is easy to see why affected LastPass customers would resent the changes

If you have been locked out of your LastPass account due to this change, LastPass provides a step-by-step guide in its detailed support documentation

Following the guide linked above will take you through the detailed steps necessary to reset the pairing between LastPass and your preferred authentication app Once this is done, you will need to verify your location the next time you log into a website or app using LastPass From here, you will need to re-enter your credentials and authenticate using the Authenticator app

As an additional security measure, LastPass users will be asked to verify their location once again when logging into a website or app using the service again Similarly, users must re-enter their login credentials and authenticate again using their preferred authentication app

If you are wondering why LastPass implemented these new security upgrades, it is because of a security breach last December in which hackers managed to steal a large amount of partially encrypted customer information and password vault data This security breach was actually the result of another breach that occurred in August 2022

Password managers hold all kinds of credentials, secrets, and other sensitive information, and unfortunately will likely continue to be a prime target for hackers Fortunately, however, LastPass and other password management companies have already implemented or are working on implementing passkey support to make their services more secure