is LastPass SMS Recovery a security risk?

Yes, it is a slight security risk, for the reason Conor Mancone points out. But no, it does not mean that LastPass stores your master password on their servers, and would-be hackers need to do more than just obtain the recovery SMS.

To use SMS recovery, you must have access to a computer and browser where you have previously used LastPass. LastPass generates and stores a recovery one-time password (rOTP) on your computer when you log in the first time on a new computer/browser. This rOTP essentially works like a second master password and is only stored locally on your computer, but is disabled until you request account recovery. The recovery SMS just activates the rOTP, allowing you to access and decrypt your vault using it, after which you can reencrypt it using a new master password of your choice (the rOTP is disabled permanently after being used once).

Without access to a computer where you have previously used LastPass, SMS recovery won't work. This means that any hackers or LastPass employees that want to use it to access your vault would first have to get access to a computer where you previously logged into LastPass, and where you haven't taken steps to delete any traces it left behind.

More details are in the blog post announcing the SMS recovery feature. The LastPass help file you cite unfortunately is ambiguous and confusing on the rOTP part.

A more technical (and less ambiguous) description can be found in the LastPass Technical Whitepaper (I'm not sure that link is stable, so click "Technical White Paper" at the bottom of the Overview of LastPass Enterprise if it's broken). See page 10, under "Recovery".


This answer discusses some important caveats to keep in mind for systems like this in general, but misses relevant details about the implementation of LastPass' recovery system. For more details specific to LastPass, see @korsbakken's excellent answer.

The real risk

Yes, it is a security risk, and it doesn't have to have anything to do with how they make password recovery possible on their end. It has to do with the simple fact that SMS is not a secure channel for 2FA or account recovery, a fact that has been making a lot of waves in the news recently. Here is an article where security researchers intercept SMS travelling in the mobile networks:

But another common (and relatively easy) attack method is something called SIM swapping:

There are more options I'm sure, but they all have the same effect: a determined attacker has many ways to intercept the text messages of a target for a long enough time period to intercept account recovery in cases like this. In practice if an attacker wanted access to your account, knew that you had SMS recovery on your LastPass account, and also knew your phone number then they would execute one of the above attacks against your cell phone carrier, request a reset from LastPass, and immediately reset your LastPass master password to something of their choosing. They now have full access to all your passwords. If they are feeling especially vindictive they can probably even permanently shut you out of all your accounts (by turning off account recovery and then changing your master password once again).

LastPass Employees

Of course your primary concern was LastPass employees. That question, however, is much more difficult to answer. The answer depends on what sort of access controls they have internally inside their own systems. Certainly your general suspicion is correct: if a password reset is possible then they must in some way have access to your master password file (probably only if you turn on account recovery though, since they say it only works if you turn on account recovery first). This does mean that the LastPass system can potentially decrypt your passwords. However, this does not mean that employees can abuse it. Many companies, especially those storing sensitive data for end users, have many internal access controls that stop employees from gaining direct access to data from end-users. However, I doubt anyone here can tell you whether or not that is the case for LastPass.

In practice I would be far more concerned about the risks associated with account recovery over SMS than I would be over malicious LastPass employees. Either way LastPass says that account recovery is only possible if you have enabled it, so if you turn it off you should have nothing to worry about at all (unless you don't trust LastPass to be honest, in which case you need to figure out how to run a password manager yourself). Just don't forget your master password.