You can already enable both methods, and Google Authenticator will be a fallback on devices that don't accept YubiKey.
If email verification is a concern, set up a dedicated security email address and keep the information completely separate from LastPass.
jamieg Wrote:+1 for removing the mandatory SMS backup when using LastPass Authenticator. I just setup LPA the the day and was shocked and annoyed at this step backwards.
JerryLove Wrote:Agreed. There are are a few tremendous holes in LP's TFA [big enough that I will change products should someone else do this correctly]
1) You can only chose a single active TFA. I desperately want to be able to use either my YubiKey or an Authenticator (as not all things I work on will take one of my keys)
2) Some TFAs (specifically LastPass Authenticaor, which seems to be the only one that allows a fallback TFA) *force* you into a bad fallback TFA (SMS). I cannot even turn off SMS, much less replace it with a better system.
3) Recovery is email based. While this might be an OK default: for the security oriented this is a huge problem. Email is exactly the thing I'm most worried will be compromised (perhaps through social methods) and the fact that it's an immediate way to get my entire password vault is unacceptable.
I'm a premium member. That lasts right up until the day when someone addresses the above and you haven't.
Users browsing this forum: Google Feedfetcher, MSN [Bot] and 27 guests