2026-07-13 · 7 min read

How LastPass emergency access works: setup and security

How LastPass Emergency Access works: the wait period you set, step-by-step setup, RSA-2048 zero-knowledge encryption, and how it compares to Bitwarden.


LastPass Emergency Access lets you name a trusted LastPass user who can request your vault after a wait period you set. If you don't decline the request before that window elapses, access is granted automatically. The handoff rides on RSA-2048 public-private key cryptography, so LastPass never sees your vault key in readable form.

What is LastPass Emergency Access?#

It hands your logins to someone you trust when you can't reach them yourself. LastPass frames it as an easy way to give others the passwords and logins they'd need to manage accounts on your behalf after an unexpected event, by adding trusted LastPass users as emergency contacts.

The contact you name gets nothing up front. They get the ability to ask for your vault, plus a defined window in which you can still say no.

What can a trusted contact actually reach?#

Everything the feature releases comes straight from your vault: an emergency contact gets your passwords, accounts, and secure notes stored there.

Once a request is approved, the material doesn't scatter into their account. The granted vault appears in the recipient's vault as a folder labeled with the account's email address, holding your stored passwords and notes, so it stays walled off from their own logins.

How does the wait period work?#

The wait time is the gap between when a contact can request access and when they're approved. LastPass defines it as the allotted time when the emergency access user can request access and when they are approved — access lands if the request is not denied inside that window.

Three rules govern how much control you keep:

So the length you set is the length that governs any request you don't catch in time — you can revise it beforehand, never once a request is in flight. A short window favors a fast handoff; a longer one buys you time to notice and reject a request you didn't expect.

How do you set up Emergency Access, step by step?#

The flow bounces between two people — you and your contact. Per LastPass, the setup runs like this:

  1. Log in and open Emergency Access from your account.
  2. Invite a contact by email and set the wait period for that person.
  3. The contact accepts the invitation from inside their own LastPass account.
  4. After the wait time, the contact can request access.

If your intended contact doesn't have LastPass yet, LastPass will help you send them an invitation to join — they must maintain their own LastPass account for the handoff to fire.

Who is eligible to use it?#

Emergency Access ships on LastPass Personal Premium and LastPass Families plans, and both sides — account holder and emergency contact — must be LastPass users. A contact new to the service has to accept your invitation and set up an account before they can ever request access.

Before you rely on Emergency Access, confirm:

  • You're on LastPass Personal Premium or Families — free-tier accounts can't grant access.
  • Your contact has accepted the invite from inside their own LastPass account.
  • The wait period matches your risk tolerance — short for a fast handoff, longer to catch an unexpected request.
  • Your vault actually holds the secure notes and logins you'd want released, not just a fraction of them.

Is it really zero-knowledge?#

Yes — and the mechanism is exactly what lets someone who will never know your master password still receive your logins safely. LastPass uses public-private key cryptography with RSA-2048 to share the key to your vault with a trusted party without ever passing that key to LastPass in unencrypted form.

Here's the chain. Your vault key is encrypted with the trusted contact's public key and can be decrypted only with their matching private key. LastPass holds that RSA-2048 encrypted data until it releases after the waiting period you specified. And only the recipient can decrypt it — their private key is itself encrypted with their master password key, which is how the zero-knowledge model survives an emergency handoff.

The upshot: LastPass can store and release the encrypted bundle, but it can't read your vault, and neither can anyone who isn't your named contact.

How does it compare to Bitwarden and 1Password?#

LastPass and Bitwarden both ship a purpose-built emergency-access feature; 1Password ships none, and its closest tool recovers only your own account.

FeatureLastPassBitwarden1Password
Dedicated emergency accessYesYesNo
Access modesView passwords, accounts, secure notesView (read) or Takeover (read/write)Not applicable
Who can grantPremium and Families plansPremium, or a paid Families/Teams/Enterprise orgNot applicable
Wait-period auto-approvalGranted if not denied in the windowAuto-approved when wait time expiresNot applicable
Owner can approve early / declineCan decline during the windowCan manually approve at any timeNot applicable
CryptographyRSA public/private keyRSA public/private keyNot applicable

The sharpest split is Bitwarden's two-mode model. Its View type grants read access to all items in the grantor's vault, including passwords and attachments, while Takeover goes further: the contact creates a new master password for permanent read/write access, replacing the grantor's master password and stripping out two-step login methods. LastPass keeps a single view-style handoff with no takeover equivalent. On eligibility, Bitwarden also lets free users serve as emergency contacts even though they can't grant access themselves.

1Password sits outside this comparison by design. It ships no dedicated emergency access feature; its Emergency Kit is a PDF for recovering your own account when you lose your account password. On family plans a family organizer can help another member recover their own account — but that's account recovery, not designated access to someone else's secrets after they've gone unreachable.

Where does a password manager stop and a continuity plan begin?#

Emergency Access solves exactly one thing: getting the right person into your vault. It doesn't capture what you'd want them to do once they're in — which accounts matter first, who else to notify, where the things that aren't passwords at all actually live. That's the gap a continuity plan fills, and it's worth reading up on how a structured emergency access handoff actually reaches the people who depend on you.

That seam is what Proceedly is built around: a business-continuity check-in where, if you miss it past a grace window, a person you name confirms (or, on a paid plan, it releases automatically) before your encrypted handoff plan reaches the people who depend on you. It holds your instructions and where keys live — never the passwords themselves — so it complements a vault feature like this instead of duplicating it.

FAQ#

Can I change the wait period after a contact requests access? No. The wait period cannot be adjusted once Emergency Access has been requested, and only the original account owner can change it before that point.

Can I stop a request I didn't expect? Yes, within the window. If a contact requests access before the waiting period elapses, you can decline that request. Access lands only if the request isn't denied in time.

Does my emergency contact need their own LastPass account? Yes. Both the account holder and the emergency contact must be LastPass users, and a new contact creates an account from your invitation before they can request access.

What exactly does my contact receive? Access to your passwords, accounts, and secure notes, delivered as a labeled folder in their own vault holding the stored passwords and notes from your account.

Can LastPass read my vault during the handoff? No. The encrypted bundle can be decrypted only by your named recipient's private key, which is itself locked behind their master password key — LastPass stores the RSA-2048 data but can't open it.

Which plans include Emergency Access? LastPass Personal Premium and LastPass Families.

Sources#