When setting up LastPass Authenticator, the user is prompted to enable cloud backups.
The documentation/ FAQ page says this "enables" backup up LastPass Authenticator keys to cloud storage.
What I haven't found is, once setup, do all new/changed/deleted keys in LastPass Authenticator get re-backed-up to cloud storage automatically? Or must the user actually know and remember to tap on the "backup now" option from time to time?
Also, LastPass Authenticator associates the cloud backup with an email address. What exactly is it doing - where exactly is it storing the backups?
These are good questions, thanks for asking them.
If I may piggyback off that, I'd also be interested in understanding if and how the LastPass authenticator backups are protected from the LastPass Vault access itself. In the very rare event that my LastPass vault is compromised (like a stolen/guessed master password) or if my phone number is spoofed/intercepted, are there any protections that separate the authenticator backup from the vault itself? Said differently, if a bad actor gets access to my vault, do they also effectively gain access to my two factor authentication codes? That would largely negate the layer of security of MFA; at least from the a direct attack on a user's LastPass account.
I am really considering moving from Microsoft Authenticator to LastPass authenticator as the MS Authenticator's backups aren't device agnostic (can't restore from backup if moving from iOS to Android). However, I would be interested in understanding some of these minute details about the cloud backups.
With LastPass Authenticator’s Cloud Backup feature, you can back-up your multifactor accounts to your LastPass account (then restore from Cloud Backup to restore those accounts) in case you ever lose or upgrade your mobile device. As noted at the bottom of this help article: https://support.logmeininc.com/lastpass/help/how-do-i-enable-cloud-backup-for-the-lastpass-authentic... Cloud Backups in the LastPass Authenticator app do need to be manually created each time you'd like to create a new backup (please note only one backup can be stored at once, so if you would like to transfer or move your Authenticator to a new device only the most recent backup can be restored to the new device)
LastPass Authenticator backups are not stored in your LastPass Vault in any way, a LastPass account needs to be associated with the LastPass Authenticator app as this is how cloud backups for the LastPass Authenticator are stored/associated with your Authenticator accounts. For more detailed information about LastPass/LogMeIn's cloud services and technology please see our Security and Privacy Operational Controls or “SPOC” documentation, which provides encryption use and standards, retention periods, and other helpful product-level information here: https://logmeincdn.azureedge.net/legal/LastPass-SPOC.pdf
Thank you RachelO. Please note, the text at the bottom of the referenced LastPass FAQ does NOT say that the ONLY way to make a backup of LastPass Authenticator is to do so manually; it says "whenever you WISH to". I'm quite sure that LastPass Authenticator users who set up backups "wish to" have the backups be automagic.
At the very least, the article should be made much more clear.
Better would be to build in a user-selectable "back up automatically" feature.
About "where" the backups are stored, you've answered where the backups are NOT stored: the backups are NOT stored within the user's LastPass vault. You still haven't answered where the backups ARE stored. I surmise that the LastPass Authenticator backups are stored in some cloud managed by LastPass/LogMeIn, solely under the control of the company, with no possible export, and no way for the user to get anything out of them, nor to be positive that in any particular future it will all still work.
More transparency is needed, and really it should be possible to (encrypted, under the full and sole control of the user) export the authenticator code generator configurations including seeds.