I support and help all my clients onboard onto LP, I love it, so please don't take my continued press on this topic the wrong way. But as a "the only password you will ever need to know" mantra, do you not think this is a poor solution? To have to remember a 2nd password?
I feel my situation is a valid one, to find yourself without a device.
And I'm pretty confident, that without a device, or remembering a password, that no email provider that has 2FA set up is going to allow you to just reset it (they'll want to call you, text you, or email a backup email account).
The whole point with LP, is to only need access to it? Surely this is a problem?
@EvoLeadr There comes a point where you have to decide what is the balance between security and convenience that you are comfortable with. You can always do routine exports of your vault and secure them some place else just in case.
It's a great question. Keep pushing for an answer, as I still haven't found a workable one, other than remembering my email password (in addition to my LP Master Password).
Prior to people attempting to answer your question, they should grab someone else's phone and try to log into LastPass. THEN, they should answer. The answer might come easy to some, but it definitely wasn't obvious when it happened to me. (Fortunately, after a couple of days while traveling, I was able to buy a new phone, insert my SIM card, and restore it.)
Hey there, I did get a formal answer from LP when I emailed them.
1. There is NO way to turn of "trusted devices" which means 100% you need your own access to your email to verify if you are trying to sign in from a new device.
2. If you have 2FA turned on for LP, then it's even more of a nightmare. I'm currently waiting on a detailed response of the LP process to gain entry if you don have your 2FA.
I think with 2FA, its not LP fault at all, 2FA is 2FA after all, and you can print backup codes which I have. Doesnt help if you find yourself fully robbed or lost items, but that's not LP fault, but clarity on gaining entry to your account is important.
As for the email thing, its difficult. As per Glen's answer earlier, its a trade off of convenience and security. I like the "trust device" option. So even if I could turn it off...I would not. And LP not having a "back door" to email them, well it is super secure.
Which means its down to me to secure.
I do however, don't think this is discussed much or even said to the user. You either wake up once day and think about it, or you wake up one day and are in it. Either way, I'm happy I have now and will tell my clients too. Having a password I can remember, I will now need to turn on 2FA for my email, although it should be on anyway.
But I feel I've had full answers now, apart from 2FA on LP....but TBH I darent turn it on!
Agreed. It would have been nice to have known prior to my event that I needed to remember my email password. Although it does go against the "Last Password You'll Ever Need", it would save some folks a bit of trouble knowing this up front.
If you turn on 2FA for your email, aren't you putting yourself back in the same situation if you lose all of your devices? That is, let's suppose you lose everything and find a computer to start logging in. You can't access your email without 2FA, which means you need access to something you don't have. Yes?
Hi Sir, @GlennD
I've been using Lastpass (premium) for several years. I live in Vietnam. Just today, I lost my phone which had the Lastpast Authenciator. As such, I am not able to log in. I've tried to log in by sms passcode but not receive the passcode at all. I several times emailed support but not received any response. Could you please support me.
Please make sure you are opening a support case through the support site and not just sending an email to a LastPass email address: How do I contact customer support for LastPass? You will always get at least an automated reply confirming that your case was created and a ticket number.
thanks for your response. I got the instruction from Support team. I have to answer a long list of question before Lastpass can disable the 2FA. I hope this process can be quicker. A little bit disppointed that it takes quite long since I opened my case.
One issue I have is the balance between recovery and security. Here's the dilemma with these recovery option, they add avenue to break into your last pass account. For example, let's say you setup your last pass account to use Last Pass authenticator because you are afraid of SMS related attacks, by adding a SMS recovery option you essentially give the attack a means of bypassing 2FA.
Here are my thoughts on more secure path
1. At a minimum, a lastpass has a email address. Make sure that account is protected by 2FA. Ideally, this would be a hardware key. The account should also not have any recovery or bypass to SMS. A even more secure option is to setup an alternate security account (which you can do in advance options) that you don't normally login. The reason for this is because accounts that are not logged in often would be less likely to be picked up by a key logger.
2. Remove phone number from your last pass account. SMS recovery is insecure. If you must have it, setup a google voice account but do not forward the SMS. Make sure that account is secure with 2fa and good password.
3. For maximum security, use hardware key for 2FA on the individual accounts. However, not every site will allow this. Most sites will use some sort of Time based one time password (TOTP). The last pass authenticator is pretty good for this purpose because it allows backup in case you lose your phone.
4. Make sure you enable Grid as an option for 2FA. If you lose your phone and you tried to install Last Pass Authenticator on your new phone, you may run into an issue where the request that you 2FA, but you can't because you don't have access to a phone. Instead, use the GRID.