How do you enable more than one security key for the passwordless login?

I really do not understand how we are calling the use of FIDO2 tokens as "passwordless" for LastPass.  On a new or different PC, or even a fresh browser profile, I am _unable_ to sign in to my last pass account with my FIDO2 key.  I am _always_ prompted for my master password.

It seems LastPass is using the FIDO2 keys as a U2F second factor and simply dropping a persistent password backed cookie into the browser session.  uuugh

Please let me know how to actually go passwordless with my LastPass account.

Thanks!

JJ Streicher-Bremer

Question: isn't the Master Password fallback weakening the security as we do not have 2FA enabled anymore?

Thanks

iR

Hi @slai 

At this time only one security key can be integrated with passwordless logins. 

@jjstreic     Currently, you can go passwordless to enter your vault by setting up a passwordless authenticator of your choice on trusted devices. You will need to set this up on each device you'd like to use.

For desktop devices, you may choose between the LastPass Authenticator app, FIDO2 biometrics or a hardware key of your choice.

For mobile devices, you may use built-in device biometrics.  Once you've set this up on a trusted device, you will not be prompted to enter your master password unless your passwordless authentication isn't working or you're making security-related account changes.

@RobertoIs  Thanks for your question. 

The authenticator you choose when setting up passwordless will serve as Multifactor authentication.  On a trusted device, you're only prompted to use the authenticator (MFA) for login.

If on a nontrusted device, you will be prompted to enter your masterpassword PLUS the authenticator you chose for passwordless. 

** Trusted devices are identified within the LastPass system by IP address and/or device ID.  There is a default security function that will also email you for verification when a new device or IP address is identified.  This email will go first to your 'security' email address, or secondly to your 'login' email address if no security email has been set. 

This is passwordless like taking knitting needles from grandma at the airport is anti-terrorism.  

True passwordless would mean no master password, my fallback would be a second hardware device.  If I can fall back to my master password and MFA then the account is no more secure than it was. In fact its less secure because last pass MFA is a text message which is the worst possible kind of MFA. 

You get a A for effort, A for marketing and F for implementation

I enabled passwordless on my Macbook and it works great with the fingerprint button.

I then found that on my Windows desktop, it no longer offered Lastpass authenticator 2FA and I had to use SMS for 2FA.

I bought a yubikey for may Windows 11 desktop and naively thought that I'd be able to use that for passwordless on my Windows desktop. It seems that you can't use per device passwordless, with different FIDO2 devices, unless I'm mistaken.

After lots of testing, I've ended up with my SMS no longer working at all (disabled due to security issues) and I'm back at Authenticator based 2FA for all devices. I'm reluctant to experiment further, for fear of totally locking myself out of my vault.

So, can anyone out there tell me how to enable passwordless on my mac (which works), while also enabling it on my Windows desktop, with the yubikey ? ... or are my expectations wrong ?

Thanks

I am in the exact same boar.  I have opened up a ticket for the SMS no longer working at all and being disabled due to security issues, but I have not heard from support at all.