LastPass browser extension and password manager app on mobile could fill in 2FA codes everywhere. The "seed" would be stored securely in the password manager and using the algo the code is available on all devices to be filled. IPhone has some extension point for getting codes also for numeric fields.   ... View more

I'd like to try the passwordless feature but I do not want to lock-in my two-factor to a single device. I currently use Authy because it easily allows me to load it onto a desktop or another mobile device so I can continue to login to my accounts.  It seems LastPass authenticator has a restore from cloud option but only after you go through a circuitous recovery process.  Why not allow a more seamless way to load the authenticator onto other devices directly?  Phones get lost. Phones break.  Some just move to different phones regularly.   ... View more

Today I needed to add a new Google account to my authenticator while using only my phone. I had to enter the key manually, because it was not possible to scan the qrcode with the camera, since the qrcode was being displayed on the same mobile screen I was using to enter a new key in the authenticator app. I had problems doing this manually because the key provided by Google had spaces every set of 4 letters, if I am not mistaken. When I pasted the key into the authenticator, it did not ignore the spaces, which made the addition wrong. I had to manually remove the spaces to make the addition possible.   My suggestion is that the app itself remove the spaces, like Google authenticator does.   Language: en-BR iOS Version: 15.3.1 Device Model: iPhone 11 Built: LastPassMFA 2.4.0.1154 ... View more

Hello, I'm using Lastpass and Authenticator connected on my PC and mobile. When I login to Lastpass on my PC, Authenticator on my mobile asks for verification. But on verification screen there is not much, just email address, but this can be someone else typing my email. I know that odds are astronomic but someone may click accept accidentally and let an attacker get in.   I'm sure there are more security checks but it would be great to display some Device Identifier on Authenticator screen of which device requested to login. This could be a nickname i gave to my PC, IP address, City/Country e.t.c.   Thanks ... View more

Please allow the authenticator to upload and download on multiple devices.    Currently I can have lastpass authenticator on multiple devices.  But the sync function appears to only work on a single device, this creates a lot of fear that I am adding qr codes on the wrong device and that it is not syncing correctly.    p.s. I would echo another suggestion listed: Please add an Authenticator browser plugin allowing us to use the authenticator from our PCs as well. This would be truly epic to have both the manager and authenticator in browser.  ... View more

Multiple accounts (Work and Personal) are not simultaneously supported with the Authenticator App. If I use LastPass personally and also have a work account, I cannot take advantage of the Authenticator features because it will only work with the current LastPass app signed in account. Because LastPass's method of embedding the personal account inside the work account, you cannot get sign-in prompts and I must rely on SMS 2FA, use Authenticator backup features, etc. specific to your personal account. Nor can you separate your personal and work accounts' 2FA tokens if someone were to leave the company. LastPass has done a good job with the password separation, but it is undone by not completing the experience with the Authenticator App. Ideally you would have the Authenticator App have multiple account logins, that each have their own 2FA token backup scope (regardless of the federated status of the work account). ... View more

When we use LastPass federated login, it disables the LastPass authenticator app from backing up to your cloud. While our federated login is controlled by our Microsoft Azure Active Directory platform and don't need the authenticator for our login process, it is unfortunately pushing our users away from your authenticator app because they cannot backup their other sites because they are federated. I have over +100 tokens in my authenticator. Currently I must sign out on my work account on my LastPass app, sign back in with my personal, then setup backup on my authenticator app, then sign out of personal on LastPass app, then back into my work account. This is reducing the integration with your platform instead of enhancing it. Opposite of what federated login is supposed to do. Ideal solution is to allow cloud backup to two accounts with separate scopes (personal and work, regardless of the federated status). ... View more

Some security & encryption programs enable the use of a Keyfile in addition to a PW. How about adding a product extension for this to LastPass Authenticator to enable a Bluetooth filesharing feature on Android? This could not only provide another/redundant factor (something you have), but it could also include biometric (something you are) to authorise on-phone, AND it could include a new factor of Whare You Are since BT has limited range.   I imagine it could work something like this: Use the LP Authenticator app to pair your phone with the target device using Bluetooth 4+ Import the keyfile into the LP Auth app (or LP itself?)  - or have the app generate a new keyfile, if needed A small LP client (or add-on to LP) on the target device would be the recipient of the connection and act as a temporary drive or file store that can be mapped  as a URL in the target OS. When the app tries to open the keyfile, the LP client would search for the BT connection to the phone.  If successful, the key file is provided to the target application and cached. On the phone’s LPA app, the user could have the option of providing each keyfile either with or without further biometric confirmation. On the client app, the client could either encrypt or overwrite the local keyfile once it has been released by the target app. Possibly after a period of time.   A further feature could be to periodically poll the phone via BT to confirm it is still nearby & connected. (BLE could do this with low power usage). If the BT connection is lost, then it kills the target app & removes the file.  Perhaps after a user-configured delay?   Of course, a similar thing could be done with NFC, but a) NFC is far less common than BT on devices, and b) the proximity for NFC means your phone would need to remain nearly in contact with the device. BT can also provide signal power readings to give an idea of proximity of the phone to the target device. This might require the phone to be VERY close to the target, or just in the same room. Or, it could be relative to the power measured when first authorised. I.e. if I leave my desk for a coffee, the encryption is gone.   Besides offering users additional factors for authentication this extension can also work Offline. Meaning, if you have a target device and/or phone without internet/network access, this can still provide MFA. As a backup, the extension might enable USB connection to the phone to access LPA/the keyfile if BT isn't available. ... View more

Hi,   I've just tried out passwordless authentication for the lastpass vault.   During setup I had to provide a phone number as what appeared to be the only backup method in case I'm unable to use passwordless login via the lastpass app.   I tried out the phone based backup authentication method, and was sent an SMS with a 6 digit code, which was then all I needed to access the vault. As SMS is generally considered an insecure authentication method, I try to avoid using it, and it is a potential security bypass to passwordless.   Also, during passwordless setup I had an error message until I disabled my existing google authenticator app. Can this error message be removed ? I've since found I can anyway re-enable google authenticator after passwordless setup is complete, although I have to go through disable / re-enable google auth each time I add passwordless on a new device.   I found a phone number in my account settings as a "recovery phone". I deleted that phone number, but it didn't disable the SMS backup method. Is there some other way I can disable the SMS backup method ?   So I currently now have passwordless with both google authenticator and SMS (unwanted) as backup options. I think passwordless, plus any of the  existing multifactor methods as a backup option, would be better for most users than SMS. This would need a  change to the passwordless setup steps. ... View more

LastPass is one of our key systems at our office (~40 users) and since it is so critical I feel that we need to stress MFA after every login. While it is not conventional we would like to NOT ALLOW our users to remember their device(s) for 30 days. We already have other systems in our office where users must allow an MFA push notification before accessing some of our other systems, this push notification happens every time they request access to these systems without exception. We take security in our office very seriously and we have found that eventually you get use to the MFA every time you login. We also find that it is very helpful to have a backup MFA device like a security key that we can assign to users who forget their phone for the day (yes this actually happens).   While we realize that this feature alone will not help increase our security or reduce our risk we still get calls from people from time to time who are so used to getting MFA notifications that when they forget that they checked the "trust this device for 30 days" they call us in a panic that something is wrong with LastPass as it did not prompt them for MFA. So if anything it is a visual indicator that something might be wrong.   Hope everyone reading this has a nice day and I look forward to the discussions. ... View more

In Lastpass Authenticator, when you toggle Backup in settings, Authenticator doesn't continuously backup your accounts. Instead, it backs up when you click the toggle. Change the functionality so that it either:   1. Backs up continuously, as such a toggle would suggest - OR - 2. Change the toggle to a button that says Backup Now and make it clear that you're backing up the current state ONLY   I came to this realization when Authenticator pooped out on me and I needed to restore my account. Apparently only two of my many accounts could be restored because I had toggled Backup way back when I only had two accounts. I thought it would keep backing up continuously,  but alas. It's a lie   ... View more