How is it still the default behaviour to delete a OTP when the password is updated?

Question

geoffrey.byrneau · Answer

So , when I update my password, it seems normal in the lastpass work flow, that I should know my 2fa secret key? And have it handy,  to re-enter into LP after my password has been updated? i.e. I should

* go into the edit password page/modal, 
* view my 2fa secret, 
* copy it to notepad, 
* update the password, 
* reload the edit password page/modal
* paste the 2fa secret key back in

For any site or app that I update my password on?

That workflow can't seem sane let alone good / safe. It completely invalidates the "update your password" option appearing on any site where you have 2fa enabled.

I also know that to an extent, your statement isn't correct. If I manually update the password in the edit password page/modal it doesn't remove the 2fa secret. It's still there.

LastPass Support · Answer

Hi @geoffrey.byrneau​

One-time-passwords are directly tied to the account password itself.  This is required in order to use passwords as a key to decrypt your LastPass Vault data.  When the original key changes, the 'lock' must also be refreshed in order to coordinate with the new code.