I was on Reddit and I just found a post which reminded me about why 2fa is vulnerable to phishing attacks. https://www.reddit.com/r/ProgrammerHumo ... _phishing/
A phishing site allows an attacker to steal not only the username and password, but also the authentication code. The attacker can simply use all that information to access an account using 2fa. As far as I am aware, Yubikey is also affected by this, because the one time password is not dependent on a private key. (Looking at these two pages: https://lastpass.com/yubico/ https://www.yubico.com/products/service ... -response/
, it seems Lastpass only supports basic OTP)
Universal 2nd Factor is resistant to phishing attacks because it is a challenge-response system, meaning that to authenticate a user, the server sends a random challenge to the user, who responds the correct answer, to make sure that the person at the end owns the hardware key, and not just a stolen code.
There are devices that support challenge-response authentication, such as Yubikey, but the availability is limited to just their products. U2F, on the other hand, is available on many hardware keys. Yubico and Duo products support U2F, as well as Trezor's and Ledger's.
Chrome, Firefox and Edge all support U2F now, and many websites are moving to make U2F a standard. Please implement U2F for LastPass, to remain at the top of the game!