If someone steals my phone can they use sms account recovery to access my lastpass passwords?
Hello,
Recovery via SMS must be done in a browser, per the article linked above, so in order for someone to reset your master password via this method they would need to try recovery via a browser that you have previously signed in to LastPass with. If you'd prefer to remove SMS Recovery from your account please follow the steps here to access that option:https://support.logmeininc.com/lastpass/help/set-up-sms-account-recovery-lp030001
We would strongly recommend making sure you do have other forms of account recovery enabled for your account as well, just in case you would ever need to recover your account:https://support.logmeininc.com/lastpass/help/how-do-i-set-up-all-account-recovery-options-for-lastpass
Thank you but my question was not about multifactor authentication. The question was whether anyone with my phone could use sms account recovery to get into my Lastpass account?
If someone had access to your recovery phone number, it could be possible for them to use SMS recovery if they also had access to a browser that you've signed in to LastPass with. Using SMS account recovery will allow the Master Password recovery process as long as the process at least one of your browsers has captured a Recovery One Time Password(which is created by logging in to the extension at least once,) so if that person only has access to your phone number but not a device which was previously signed in to the LastPass extension they would not be able to reset your master password and access your account.
https://support.logmeininc.com/lastpass/help/how-do-i-reset-my-master-password-using-sms-account-recovery-for-lastpass
Hi @jimbeam,
If your phone number has changed or the mobile device you used for authentication is lost or stolen, you should immediately disable multifactor authentication for your device so that you can log in and access your LastPass account.
For lost or stolen devices, it is strongly recommended that you change your Master Password once you log in to your account. You can also re-enable multifactor authentication once you've logged in to your Vault.
For more information please see here:https://support.logmeininc.com/lastpass/help/i-lost-my-phone-ndash-how-do-i-disable-multifactor-authentication-for-lastpass
Thank you for that answer. To confirm I am understanding you correctly, does that mean if a thief has my Android Samsung Galaxy S21 phone on which the LastPass app is installed and has been previously signed into, they could gain access to my LastPass password vault using SMS account recovery? And if so, can I disable SMS account recovery?
