I've just tried out passwordless authentication for the lastpass vault.
During setup I had to provide a phone number as what appeared to be the only backup method in case I'm unable to use passwordless login via the lastpass app.
I tried out the phone based backup authentication method, and was sent an SMS with a 6 digit code, which was then all I needed to access the vault. As SMS is generally considered an insecure authentication method, I try to avoid using it, and it is a potential security bypass to passwordless.
Also, during passwordless setup I had an error message until I disabled my existing google authenticator app. Can this error message be removed ? I've since found I can anyway re-enable google authenticator after passwordless setup is complete, although I have to go through disable / re-enable google auth each time I add passwordless on a new device.
I found a phone number in my account settings as a "recovery phone". I deleted that phone number, but it didn't disable the SMS backup method. Is there some other way I can disable the SMS backup method ?
So I currently now have passwordless with both google authenticator and SMS (unwanted) as backup options. I think passwordless, plus any of the existing multifactor methods as a backup option, would be better for most users than SMS. This would need a change to the passwordless setup steps.