The idea of using a phone as the second factor is that it is "something you have", to guard against someone learning your master password and then, unknown to you, logging in from another device. If someone steals your phone (and you don't have a strong PIN or use Touch/FaceID) AND has your master password, you're pretty much hosed regardless.

For LastPass itself, I use Duo Security as the second factor. Since I use Touch/FaceID on my devices, including for LastPass itself, I believe I am sufficiently protected. Note that you can choose to protect the LastPass app with a PIN or with Touch/FaceID so you won't be entering your master password often. Keylogging is such a remote threat on an iPhone that I don't think it worthy of consideration.

Pick a strong, unique master password and take advantage of the security features of your phone. Make sure you set up a separate "security email" account for LastPass should you need a way to get back in should you lose your phone.

Yes, the fingerprint is better than nothing for 2FA. It might even be good enough for me, since I'm pretty sure Apple keeps the fingerprint in a secure area of memory not accessible by other programs. The only attack, then, would find a way of tricking the OS to think the fingerprint reader has resulted in a successful read, which seems possible. I wonder if anyone has hacked it yet.

Of course this still doesn't answer the question of why LastPass's help support ticket guys couldn't answer this question and seemed to think it's A-OK to use LastPass Authenticator / Google Authenticator / etc. on the same phone that's being used to access the password vault.

I don't think of it as a problem. Again, 2FA is there to protect you against someone accessing your account on some other device. On my phone, I have LastPass set up to require FaceID (on the iPhone X), and TouchID on the iPad. Of course someone would have to unlock the phone first. Since it's unlikely the phone would be out of my possession, I consider the convenience an appropriate tradeoff against the risk. 2FA doesn't enter into it once I have set LP to stay logged in.

Yes, it would be nice if something like Yubikey worked with the iPhone, but really, would you find that a usable solution?

People don't need physical access to your phone in order to hack it. And even if they did, that's not the big concern. They might be able to work out your finger print by lifting it from the glass and duplicating it, but they still wouldn't have your master password in order to run LastPass. So the physical route is not the concern.

The concern is a hack involving getting something to run on your device with escalated permissions (or perhaps without escalated permissions even). Once that's in place, keyloggers can be deployed to grab your master password as you're typing it. So long as you have Yubikey activated (or some other 2FA), there's no way for them to use their PC to gain access to your vault remotely. And Yubikey is a lot less vulnerable to brute force attack, since the OTP is so long. So using their PC won't work.

That leaves using your iPhone once they have your master password from a keylogger. Since your iPhone's LastPass app requires a fingerprint scan, you're probably safe. However, I don't know how safe that assumption is. Is it possible to trick LastPass into thinking the fingerprint read was successful? That part I don't have an answer to.

Would it be any safer with a Yubikey? Yes, I think so, because I believe the Yubikey is verified on LastPass's servers. Correct me if I'm wrong. So the LastPass app isn't the gatekeeper. That makes the Yubikey method a lot harder to hack around than the fingerprint reader.

All of this is conjecture on my part. I'm pretty sure it would make national news if someone defeated the fingerprint reader with LastPass. That would cause LastPass and possibly Apple to release patches pretty soon after that. The question then would be how much time did the hackers go undetected?