Playbook
LastPass: Emergency Access
Platform claims verified July 9, 2026
What this mechanism is
LastPass has a built-in Emergency Access feature: you invite a trusted person (they need a free LastPass account), and set a wait time. If they ever request access, LastPass notifies you; if you don’t decline before the wait time elapses, they receive access to your vault. You can also approve a request immediately. It’s the same shape as Bitwarden’s Emergency Access, and the AmberKey plan is to set it up and record it. No master password needs to leave your head for the normal path.
A note on trust: LastPass disclosed a 2022 breach in which encrypted vault copies were exfiltrated. That doesn’t change how inheritance works, but it’s a strong reason to (a) make sure your master password is long and unique, and (b) consider migrating to Bitwarden or KeePass over time. We cover LastPass because installed base is what matters for inheritance. Your family inherits the manager you actually use.
Set it up now
- Sign in to LastPass and open Account Settings → Emergency Access → Invite trusted contacts (in the LastPass extension or at lastpass.com).
- Enter your trusted person’s email and choose a wait time: the delay between their request and automatic access. Pick the shortest you’re comfortable with. They’ll get an invite to accept (they need a LastPass account).
- Confirm they accepted the invitation: an unaccepted invite grants nothing.
- On the account card (Layer 1), record: your LastPass email, who your emergency contact is, and the wait time.
- Belt-and-suspenders (Layer 2): optionally escrow your LastPass master password. If you do, make sure it’s strong, and remember the mechanism above should work without it.
- Set a reminder to re-check Emergency Access whenever you change your master password or your trusted contact’s email.
What AmberKey stores
- Layer 1 (metadata): your LastPass email, that Emergency Access is set up, the trusted contact, and the wait time.
- Layer 2 (bearer secret): optional: your master password, as a fallback if Emergency Access ever fails. Not required for the normal path.
What your survivors do
- Read the AmberKey card: it names the emergency contact and the wait time.
- That contact signs in to LastPass, opens Emergency Access, and requests access to your vault.
- After the wait time elapses with no decline from you, LastPass grants access — they can read every saved login.
- If Emergency Access wasn’t set up (or fails) and the master password was escrowed in Layer 2, they can sign in directly. Expect to also handle your 2FA (recovery codes or the authenticator, noted on the card).
Required documents
None for the Emergency Access path. It’s contact-to-contact inside LastPass. No death certificate, no vendor process.
Expected timeline
The configured wait time (hours to days) after the request, then automatic. Immediate if you had approved the request before you died.
Gotchas
- The contact needs their own LastPass account and must accept the invite. An unaccepted invitation grants nothing; confirm acceptance at setup.
- A stale escrowed master password locks everyone out. If you escrow it and later change it, update the Layer 2 secret.
- 2FA still applies to the direct-login fallback. If a survivor uses the escrowed password instead of Emergency Access, they still face 2-step verification. Escrow the recovery codes or note where the authenticator lives.
- Consider migrating. Given the 2022 breach, a long unique master password is essential; longer term, Bitwarden or KeePass are cleaner to inherit and safer to hold.