LastPass password manager users experienced significant login issues beginning in early May after being prompted to reset their authenticator apps.

The company first announced that users might need to re-login to their LastPass account and reset their multi-factor authentication preference due to planned security upgrades. May 9.

However, since then many users have been locked out of their accounts and unable to access their LastPass vault, even after successfully resetting their MFA apps (e.g. LastPass Authenticator, Microsoft Authenticator, Google Authenticator).

To compound the issue, affected customers cannot request assistance from Support because to contact LastPass Support they must log into their accounts, which they cannot do because they are locked in an infinite loop to be prompted to reset their MFA authenticator.

“Forced MFA resync is now preventing me from logging in because LastPass won’t recognize the new MFA code”, a user said.

“After resetting my MFA, I completely lost access to my vault. MasterPW is not working and resetting, and the reset email is never delivered to me. Unable to contact my “Premium” support because a connection is required”, another added.

“I was prompted to re-enter the master password, then forced to update MFA, which I did successfully, and now I can’t log in at all. I can’t even open a ticket support because you have to log in to do so”, a user saidasking for help on the LastPass Community website.

LastPass says MFA resets were announced via in-app messages for “several weeks” prior to the initial announcement.

This caused LastPass to issue several security upgrade advisories explaining that this is being done to increase password iterations to the new default of 600,000 spins.

“To increase the security of your master password, LastPass uses a stronger-than-normal version of the password-based key derivation feature (PBKDF2),” says one. LastPass Support Bulletin sent to affected users.

“In its most basic form, PBKDF2 is a ‘password-strengthening algorithm’ that makes it difficult for a computer to verify that any password is the correct master password during a compromising attack. “

“The MFA Forced Logout + Resync events occur as we increase all customers’ password iterations. This has to do with encrypting your LastPass Vault,” the company said. tweeted.

In another tipthe company says users are prompted to re-enroll in multi-factor authentication for their security when logging into LastPass.

“You must log in to the LastPass website in your browser and re-register your MFA app before you can access LastPass again on your mobile device. You cannot re-register using the LastPass browser extension or ‘LastPass Password Manager app,’ the company said. explain.

The detailed procedure required to reset the pairing between LastPass and the authenticator app (LastPass Authenticator, Microsoft Authenticator, or Google Authenticator) is described in detail in this accompanying document.

The next time you log into a website or app using LastPass, you’ll be prompted to verify your location. When you log into a website or app where you used LastPass to log in, you must re-enter your credentials and authenticate using your authenticator app.

Users will also be prompted to verify their location the next time they log into a website or app using LastPass as an additional security measure.

As part of the same process, users will need to re-enter their login credentials and authenticate again using their authenticator app.

“Following the 2022 incidents, we sent emails and in-product communications to our customers recommending that they reset their MFA secrets with their preferred authenticator app as a precaution. This recommendation was also included in the security bulletins we sent to our B2C and B2B customers in early March and a second email communication in early April,” a LastPass spokesperson told BleepingComputer.

“However, a subset of our customers still haven’t taken this action, so we encouraged them to take action the next time they log in to LastPass. We launched this in-product prompt in early June in hopes that she would get a better response than our emails.”

These issues arise after the LastPass disclosure a security breach in December 2022 after threat actors stole a large amount of partially encrypted customer information and password vault data.

The December breach resulted from another violation from August 2022attackers accessing company-encrypted Amazon S3 buckets using data stolen from the first breach.