adrianh77 Wrote:Two factor auth refers to the fact that two different authentication mechanisms are used to authenticate the user. Having two usernames/emails and passwords does not qualify as two factor auth..
and... let's suppose your email account has multi-factor enabled on it (aka gmail)?
Sniffed credentials are of limited use when:
- they can't log into your email due to multi-factor.
- they can't log into LastPass from Countries you don't reside in or TOR networks (optional LP security settings)
So it's not enough to have credentials to the LP account, and the email account then. One must have functional access to one of the trusted devices already authenticating to the email account.
You rule it out the email account as multi-factor, but having function access to a trusted device accessing the email account (something you have) is a physical factor.
Though I grant it's weakness is that it can be remotely viewed/accessed, unlike a YubiKey or Google Authenticator.
I could have sworn that way back, you were able to disable the email bypass.
I presume with mentions of issues with Yubico server availability and token loss, that support costs pushed its removal.
I would be happier if I could substitute a fallback multi-factor method rather than email (say Google Authenticator, if Yubikey was offline). Or just turn off the email fallback.
I'm comfortable with
- a trusted PC in two locations
- trusted mobile device
- plus 3 yubikeys on my account (a primary, my wife's yubikey, and a backup yubikey)