product icon

Since my LastPass vault is encrypted with my master password, why can my One Time Passwords decrypt it?

    LastPass provides you with the ability to generate one-time passwords (OTPs) in which each password will only work for one login session. This means that even if someone else gets access to a previously used OTP, they will not be able to use it to log on to your account.

    Here's how the one-time passwords (OTPs) process works:

    1. A completely random 256-bit number is created
    2. A random key is made from the username and random password as a hash
    3. The random hash from your username and random password is sent to LastPass. This is how LastPass can confirm that you entered the correct 32 digits of hex to allow you to access your encrypted vault.
    4. Your actual key is then encrypted with the new random key so it can be retrieved when the random password is entered later and sent to LastPass

    Using one-time passwords is a very safe and secure way of accessing your LastPass vault, especially if you generate and use OTPs often, as each OTP is a full 256-bit encrypted key that gets cleared once it has been used. For more information about our technology, please see our Security Architecture.