Hi @markmedici,

Specifically The LastPass Authenticator cannot be disabled via email. To access your account, you would then use SMS account recovery to log in, then disable multifactor authentication for your device. If SMS recovery had not previously been set up, you would need to then contact LastPass support to assist with disabling LastPass Authenticator for the account.

ref: https://support.logmeininc.com/lastpass/help/i-lost-my-phone-ndash-how-do-i-disable-multifactor-auth...

I have all my browsers set to clear the cache when I quit the browser, for security reasons. (I accept that this means I have to do inconvenient things like repeat two-factor authentication when logging into websites that use it.) Am I right that this also means that I'll never have a LastPass one-time password available for recovery if I forget my master password?

Edit: 

@RachelO answered this here:

https://community.logmein.com/t5/LastPass-Support-Discussions/How-many-recovery-options-do-you-have-... 

My follow-up question still stands:

I don't believe that any major browsers currently allow for exceptions to clearing the cache. Please let me know if I'm wrong.

Thanks.

@RachelO @, thanks for your reply to @minsik.  I have the same situation. I have all my browsers configured to delete all history & clear the cache every time I quit, which I believe is a best practice for privacy & security as well as performance. Using an extra browser just for this makes sense -- I just have to remember to log on there occasionally.  

I hope that eventually browsers will allow exceptions to cache clearing, just as they currently allow exceptions to cookie deletion.

@CeliaA There are other less drastic ways to handle security and privacy

• Such as configurable browser extensions that let you select which sites you allow and which ones you block.
• You could set up something like Pi-hole for DNS requests on your network like I have. It blocks a lot of unwanted tracking and does not interfere with my LastPass and other services that I rely on and you can add and remove specific sites and domains.
• A more manual way is to configure the browser not to delete info from specific sites when you clear your history.

That being said, there is more than one recovery option available, you just need to set them up. Security and privacy is very important and should be taken very seriously, but it is up to the individual to select the balance with convenience that they are comfortable with. 

To reply to @GlennD's original question about how many recovery options I have enabled...

I don't have the mobile biometric option enabled, because fingerprint readers can never read my fingerprints, and Android's facial recognition is lame and easily defeated with a photo (unlike Apple's 3D functionality).

So far, I haven't dared set up 2FA on LP, for the same reason others have given.

I will start making sure I have a recovery One Time Password on each of my computers, now that I have @RachelO 's advice to set it up using a browser that I don't use for anything else, so that I can continue clearing the cache of my "real" browsers every time I close them.

I have taken the risk of giving a trusted person a print-out of my LP password. Maybe I'll give a different trusted person a print-out of the PW to my recovery email account, just in case the first trusted person and I are both in an accident, I get hit on the head and forget both passwords, and the first trusted person is in a coma and can't give me my LP PW.  Oh, and both my computers and my phone's SIM card are all destroyed in the accident, too. Yeah, I think that would cover it. I just have to make sure that my first and second trusted people are never both with me at the same time. 😜

Hi @CeliaA 

I merged your post with the main discussion around this topic so that the information is not split over multiple posts.

The simple answer is yes, if you clear your browser cache the information used for that form of account recovery will be deleted and you would not be able to use that recovery method if you forgot your master password. A new recovery one-time password would be created the next time you successfully signed in through the browser extension, but if you had a password issue you would have to keep trying until you entered the master password correctly.

Rather than printing out your passwords you could use the Emergency Access feature to give a trusted friend access if anything happened to you.  For security I would encourage you to set up MFA  on your account. Yes, you potentially could lose your phone, but there options for when that happens and as long as you still know your Master Password our Support can let you by pass that step and sign in. 

@GlennD  wrote

"Rather than printing out your passwords you could use the Emergency Access feature to give a trusted friend access if anything happened to you.  For security I would encourage you to set up MFA  on your account. Yes, you potentially could lose your phone, but there options for when that happens and as long as you still know your Master Password our Support can let you by pass that step and sign in."

I think Emergency Access is an interesting premium feature but its scope is different than printing out the password list or backing it up offline or elsewhere.

If I got it right, Emergency Access allows a trusted person to access your vault using their own login, after the wait time if any. I guess that could be useful in case of temporary problems but even in case of illness or death, so that your family or friend will be able to access your data when you are not around.

Printing / backing up on the other hand also covers the case that something happens to the LastPass account itself, caused either by user error, system error or whatever the cause.

Hi,

thanks for your post. I got the instruction from Support team. I have to answer a long list of question before Lastpass can disable the 2FA.

*post edited by moderator to remove external link