Currently you're forced to have e.g. the same account
security settings wherever you access LastPass.
Profiles could enable you to have different requirements @ different locations (e.g. using IP ranges or something)...
- Home: MP only.
- Work: MP + OTP via Yubikey.
- Friends house: MP + OTP via SMS.
- Public: MP + OTP via Yubikey + OTP via SMS. (Your default maximum security setup.)
(Note, username is also presented with the above in each case...more on that later)
I love this idea with one addition: Support the use of a PIN or secondary password *other than* your master password. That reserves use of the master password for secure locations. Perhaps the PIN can only be used to access, not to edit or view passwords. In this way, even if someone uses a key logger or screen logger to capture the username, PIN, and OTP, they cannot use the PIN to login even if they disable the OTP or on a fresh install of the LastPass add-on. So, your maximum security setup might be:
[*]Public: username + OTP via Yubikey + OTP via SMS + PIN (entered only after validation of the OTP's).
Although, I do not really see the need for both a Yubikey and SMS. One OTP is sufficient. Having more than one OTP starts to deviate from the fine line of usability versus security. The reason I like the Yubikey is because it is a strong OTP without the need for me to type in the OTP (which is tedious and error prone.) So I would probably use this for my strongest security posture:
[*]Public: OTP via Yubikey + PIN
This satisfies 2-factor authentication very well: Something I have (Yubikey), Something I know (PIN)
Also, notice I did not include the username. Since the first characters of the Yubikey are static and tied to a specific token, these can be tied to a specific LastPass account and used in place of the username further reducing exposure of sensitive info; namely your email address.
Thanks for a GREAT product. I continue to eagerly await your new innovations!