I have implemented 2FA for my account to be secure. I have yubikeys and other options for said security. If I lose all my 2FA devices and accounts I should lose access (unless I have a location where there is a rOTP I guess). The issue here is on any device someone can bypass 2FA with access to my email. This is a HUGE security gap and problem. I don't want them to be able to break in with my email + lastpass masterpassword. This essentially makes having good 2FA useless.
I can't seem to find a way to disable/turn-off/remove the ability to turn off the requirement of 2FA. It is just there. For yubikey, for google 2fa, for everything. Why!
Am I missing something? Or is this a CRITICAL issue? I have tried in browsers that weren't trusted... you don't even need an OTP to get around 2factor.
There are a few options to avoid the possibility of someone disabling Multi-factor Authentication via email for your LastPass account: you can set a security email address, so that security notification emails sent from LastPass (such as a request to disable multi-factor authentication) are not sent to your account email, but a secondary security email for increased protection. You could also choose to use the LastPass Authenticator as your multifactor authentication method, as the LastPass Authenticator cannot be disabled via email, and would require you to use SMS recovery to log in and then disable the LastPass Authenticator if it needs to be disabled.