Lastpass Grid 2 Factor Auth

RichardPayne · March 2014

I was just having a nosey around 2 factor auth and came across this:
howtogeek.com/104666/how-to-make-lastpass-even-more-secure-with-google-authenticator/

This entertained me:

If you lose your grid, you can disable grid authentication via email confirmation.

Doesn't this make the entire scheme completely pointless? If an attacker compromises your email account then they can immediately disable 2 factor auth on your LastPass data.

Am I missing something?

RichardPayne · May 2014

@jpgoldberg‌ any insight?

buggypac · May 2014

@RichardPayne What do you want people to say? You've already figured out the hilarity of that scheme, and there's nothing to add to what you said, really. Yes, if you can disable 2factor via email, then anyone with access to your email can disable it. What a stupid idea. I don't like LastPass due to their cloud-architecture and this is another reason to avoid them.

RichardPayne · May 2014

I just wanted someone to confirm that I hadn't missed something obvious. It seems like such a weak scheme that why would anyone bother with it.

Lastpass Grid 2 Factor Auth

Comments