I cannot possibly believe no-one else has requested this???   All other 2FA options are vulnerable to phishing / MITM reverse proxy attacks, and only U2F can prevent this.   PLEASE guys add U2F support to LastPass!  Yubikey OTP or Authenticator based 2FA methods are not safe.  All a hacker has to do is to lure the victim to log in to a URL which is 1 character different e.g. https://laslpass.com and then they can download your entire unencrypted vault, even if 2FA is enabled.   This is a huge security hole. ... View more

There is no way to view the six-digit codes for MFA-enabled accounts via the iOS LastPass App. The only way is through the LastPass Computer application.   This is a request to add the ability to view the MFA code saved on login credentials to be visible in the mobile app.   EG: I save a Google account and Secret Key on the LastPass application on the computer, and I can view the 6 Digit MFA code that is generated.   When I log into my LastPass vault on the Mobile iOS App, I would like to see the 6 Digit MFA code there also since it is the same vault and data that I am accessing via the computer.  ... View more

When logging into a site in Chrome, it is possible to fill the username and password fields by right-clicking and selecting from the context menu. This is very convenient because it keeps my mouse pointer right near where the UI designer intended it, and makes it easy to click the next button.   However, if the site uses TOTP as a second factor, there's no option to paste the TOTP token from the context menu. Instead, I have to move my mouse all the way up to the top right of the window, select it from the extension's menu, and return to paste it. That's a lot of extra movement and steps that could be avoided by simply including it in the context menu.   Request 1: please add a "Fill TOTP" and/or "Copy TOTP" option to the context menu in Chrome.   I use the LastPass TOTP functionality and an authenticator app interchangeably. For shared corporate accounts, the secret is in LastPass so it can be shard with other users. For personal accounts, it is in my authenticator app on my phone. It is sometimes hard to remember which is where.   At the moment LastPass always shows the "Copy TOTP" option even when no secret is configured. Worse, clicking on it with no secret does nothing. If I have a token in my clipboard from the last login and then click it again for the next, I still have the wrong token. It then takes a moment to realise what's happened and that I actually need to go to my phone.   The problem could readily be solved if the "Copy TOTP" option (and "Fill TOTP" suggestion above) only displayed when there was a TOTP token to copy. Or alternatively, greyed out or had a similar visual indicator it wasn't configured...   Request 2: please make the Copy TOTP option only show when there's a TOTP secret configured. ... View more

With more and more sites offering Two Factor Authentication, it would be handy to somehow in LastPass be able to track which sites one has enabled 2FA for and which type of 2FA. Even if it is something that could be entered manually by the user that would be a useful feature, but of course if it could be detected automatically that would be even better, but I can imagine that's not so easy.   The 2FA coverage could also potentially be made part of the overall security score (in addition to measuring the password security which makes up most of the score).  ... View more

So, I have MFA and OTP across LastPass and mobile apps an it's confusing where they might be when logging in. It It would be handy if Lastpass didn't show the option to Copy TOTP if No TOPT exists. Only display the field(s) that exist in the entry.     ... View more

Currently, one can choose to log in to the Android app using 2FA, but if one wants the convenience of using biometric sensors to log in (e.g. fingerprint sensor), one can only lock and unlock the app. This, however, does not allow the usage of 2FA.   Could you by any chance either implement logging in with a biometric sensor or add 2FA to the unlocking process? In the end, it would be nice if every time I want to use the app, it would ask me for my fingerprint and then for my 2FA (in my case Yubikey) afterward. This would allow combining the convenience of using a fingerprint sensor with the security of using 2FA. ... View more

For each password store in one's vault, add a checkbox to the site attributes screen (Password Edit) that can indicate that 2FA has ben enabled for that site. The presence of 2FA on a site can then factor into one's security score calculated by LastPass. ... View more

Make TOTP auditing available in the reports. I recently had a support call because the TOTP for one of our business-critical sites went missing and the application provides zero traceability in order for me to know whether this was caused by another user who intentionally or accidentally clicked on "delete" (which by the way is really poor design to place the "delete" action right above the eye). Disabling MFA/TOTP  should be way harder and require either credential owner approval or admin approval.   As a result of this TOTP going missing (and it seems that you're also unable to audit this at the moment), I've spent half of last week and this entire day trying to recover our name.com credentials. 💀 So yeah, pretty bad. ... View more

I use Lastpass on several devices, and on my phone. The browser where I use it the most often is on a computer that is NOT password protected, and other people could theoretically use (though only my roommate has easy physical access). If I have save password turned off and tell LastPass to trust this device, I then have to type my password to be able to use LastPass.   This isn't terrible, but it would be nice to have some alternate (quick) verification, like a PIN, that was local-only. In the event that a keylogger was installed somehow, that would only grant someone knowledge of the PIN, which would only work on that one device, but the master password would still be secure.   The closest option I can think of is instead of trusting this device and having to type my password every time, I could save my password and not trust the device, and use the Lastpass Authenticator app with push 2FA verification. I'm hesitant to do this, though, as I feel like it would reduce my overall security.   I'd rather enter a number (or alternate local-only password, or a pattern) to unlock the app, but stay persistently signed in even if I close the browser. ... View more

LastPass browser extension and password manager app on mobile could fill in 2FA codes everywhere. The "seed" would be stored securely in the password manager and using the algo the code is available on all devices to be filled. IPhone has some extension point for getting codes also for numeric fields.   ... View more

Masking characters with asterisks in the 2FA screen doesn't let us users check whether we introduced the right code. A single use code is not a password, therefore shouldn't be masked. That'd give us a better UX. ... View more

The current TOTP implementation in Lastpass only generates SHA-1 keys. Can this be extended to support more algorithms, like SHA256 and SHA512? Websites and other services are moving away from SHA1 keys. ... View more

Using the main mobile phone is convenient however the phone is usually for most, more likely to get lost, stolen or breaks being carried around. Having an additional mobile number feature allows a spare mobile phone or simply a spare active SIM to be locked away as a backup. Note, some mobile carriers require an outgoing call or SMS text to be made on a SIM at least once every so many months to prove the SIM number is being used. That's of course down to the user to set-up calendar reminders to use the SIM! ... View more

Today I needed to add a new Google account to my authenticator while using only my phone. I had to enter the key manually, because it was not possible to scan the qrcode with the camera, since the qrcode was being displayed on the same mobile screen I was using to enter a new key in the authenticator app. I had problems doing this manually because the key provided by Google had spaces every set of 4 letters, if I am not mistaken. When I pasted the key into the authenticator, it did not ignore the spaces, which made the addition wrong. I had to manually remove the spaces to make the addition possible.   My suggestion is that the app itself remove the spaces, like Google authenticator does.   Language: en-BR iOS Version: 15.3.1 Device Model: iPhone 11 Built: LastPassMFA 2.4.0.1154 ... View more

Currently, LastPass does have an OATH-compliant OTP multifactor authentication method, labelled "Google Authenticator", wherein LastPass generates a base32-encoded secret and presents it as QR code containing a formatted otpauth:// URI -- which can then be used to program Google Authenticator or any other OATH-compliant app such as Okta Verify or Yubico Authenticator.   However, in the case of OATH hardware tokens (such as the Feitian VC-200E ), it's difficult or sometimes impossible for an end-user to re-program them with a new secret; tokens instead come pre-programmed, with the expectation that the user can input the pre-programmed secret into the app they wish to authenticate to.   Unfortunately, LastPass does not seem to have a method of accepting pre-existing secrets, only secrets it generates itself. The decision to not allow this for the "Google Authenticator" multifactor method probably makes sense from a user experience perspective, but it does also make it impossible to use these types of hardware tokens despite the fact that it does actually use the same algorithm.   What I would like to see, is the addition of a new "Generic OATH OTP" multifactor authentication that does enable using hardware tokens, by simply giving the user the ability to input their own secret and other relevant parameters -- possibly as just a complete OATH URI (e.g. otpauth://totp/LastPass:j.random@example.com?secret=JBSWY3DPEHPK3PXP&period=60). ... View more

Now that Lastpass can be authenticated with O365 it would be redundant to enable additional 2fa when you already have 2fa via DUO on ADFS. So the requirement policy for users to have 2fa is disabled and their 2fa within Lastpass management is disabled. Now the security dashboard alerts all users to activate 2fa to increase their security score and they are told to contact the Lastpass admin (us it admins) to enable the feature. We know that would be redundant so we have it disabled.    I contacted support and the ability for Lastpass to be aware of upstream settings or the ability to manually tell lastpass that 2fa is enabled upstream does not exist. So I am asking for either of those types of solutions.   Thank you ... View more

Would like to see a check box or dropdown with something like "MFA Enabled" for passwords in the vault.  Then have that checked before adding to the Security Dashboard and score. I like the security dashboard, and I know we can exclude items from being included in the check, but it should also include points for having MFA enabled versus having them detracted. As an example, sonyentertainment.com account allows for SSO to Bungie.com, PSN, easports.com and a couple of others. I can login to anyone of them directly with my sonyentertainment.com, but each is saved separately by LastPass since it's a unique URL.  I have MFA enbaled on my sonyentertainment.com account so I have to enter the code whenever I hit a different URL in that group as a new session.  Technically I could set the password to password123, which produce a 0% on the dashboard,  for all my accounts if I had MFA enabled on each of them and be at least as secure as having a 16 character password. Just a thought. ... View more

The options for MFA are good, but I would like to suggest added Deepnet Security SAFEID and Okta Verify to the your MFA options list. They are both commonly used methods of Multifactor Authentication. Please consider adding them to LastPass as it would make the process better for some that do not have a phone or want another method of authentication.  ... View more