David206 Wrote:I never turned on Two-Factor Authentication. Too many reports of poor security. Does that mean that my autologout of LP is caused by something else?
Oh, damn. I hope it's all the same. How horrible if all our reports are caused by separate bugs..
LP hasn't replied back with what the issue was. But, a pet theory on how we both might have the same bug even though I had 2FA and you didn't: 2FA is activated both by users and by LastPass on their servers. Somehow, LP can activate 2FA on their servers if even you don't have it enabled--sounds like a horrible kind of bug/security issue. They asked me to disable 2FA user-side: I did, deactivating the only 2FA I use (Google Authenticator). Then I gave them the go-ahead to disable their server-side 2FA..but instead of one server-side deactivation (to match my one user-side deactivation), I actually got three server-side deactivations: Google Authenticator (just deactivated), LastPass Authenticator (deactivated a long time ago), and YubiKey (which I have never used).
Maybe they have some rogue server-side 2FA activations going on, i.e., my LastPass session kept waiting for the YubiKey (which I don't have) to be plugged into a USB port when it launched Firefox. Obviously, no YubiKey, so it refused to keep my session logged in?
Only a pet theory. I've asked LastPass to clarify just what went wrong and when they'll put out a fix for everyone. I'll ask them, too, about why there were other server-side activations when I never had them in the first place; maybe this has happened to other non-2FA accounts?
EDIT: this is what an 'administrative deactivation" looks like: