There are two areas of LastPass that pose huge security risks and need to be corrected.
1) "Require master Password" under advanced should prompt for 2FA as well. You can't store secure notes inside of LastPass for recovery passwords since that would mean there is a vector for an attacker to acquire your LastPass Master Password and login remotely using a 'secure machine' or a machine left unattended but logged in. Get a bad thumb drive, or have an elderly person getting a fake tech support call and as soon as they have remote access they can access everything in your vault for 30 days, or you have to enter your 2FA every time you open your vault, which would be irritating.
2) Lastpass.com/otp.php does not require 2FA! Let me get this straight, I can generate a recovery password for logging in if I lose my 2FA but in order to generate that password... I don't need to use 2FA. You might as well not even have 2FA.