How does account recovery work for LastPass?

Account recovery is used when a master password is lost or forgotten. In order to get back into your vault, you will need to go through the account recovery process in order to change your master password and recover your account.

Terminology

Decryption Key: This is derived from the master password and is used to decrypt the LastPass vault.

Recovery One Time Password: A token that is created by logging in to the LastPass browser extension and/or online web vault (i.e., the LastPass website) and saved to each web browser where you have logged in. This is a necessary component used during the account recovery process.
Mobile account recovery: Enabling biometric authentication (face recognition or fingerprint identification) on your mobile device's settings, then enabling the account recovery feature in the LastPass app for iOS or Android.

Account recovery process from a computer

A user logs in to the LastPass browser extension or website, which creates a Recovery One Time Password.
The Recovery One Time Password is used to encrypt the Decryption Key (shown as "Derive Key" in the diagram below).
The encrypted Decryption Key is sent and stored on a LastPass server.
Account recovery is initiated by the user by doing the following:
1. A user navigates to https://lastpass.com/recover.php, then enters their LastPass username (in email address format) and clicks Continue.
  - If SMS account recovery has been set up, LastPass sends a 6-digit verification code to the user's mobile device. They can enter the code and click Verify.
  - If SMS account recovery has not been set up, an email is sent to the user with a link to activate account recovery.
    Note: If a security email address has been set up, the email will be sent there. If not, it will be sent to the account email address.
Upon activation, the Decryption Key is sent from a LastPass server to the user's web browser.
The account recovery webpage will look for a Recovery One Time Password stored to the browser that is being used during this process.
If a Recovery One Time Password is available, it will be used to decrypt the Decryption Key.
The Decryption Key is then used to decrypt the user's LastPass vault.
Once the user's vault has been decrypted, the user is prompted to change their master password.
Result: The user has reset their master password using a Recovery One Time Password on their computer.

Account recovery process from a mobile device

The user enables biometrics (face recognition or fingerprint identification) within their mobile device's settings.
The user enables account recovery using biometrics in the LastPass Password Manager app for iOS or Android.
If the user forgets their master password, they can start the account recovery process using biometrics based on their device:

Results: The user has reset their master password using mobile account recovery.

Additional resources

General Information

What is a Recovery One Time Password in LastPass?
LastPass Technical Whitepaper – An in-depth review of the technical details of the LastPass architecture, approach to security, and the technology behind account recovery.

Set Up

Recovery

How do I reset my master password using a Recovery One Time Password for LastPass?

Troubleshooting

Why do I see a message that LastPass account recovery has failed because my current browser didn't save account recovery data on this computer?