Lastpass Grid 2 Factor Auth

I was just having a nosey around 2 factor auth and came across this:

This entertained me:

If you lose your grid, you can disable grid authentication via email confirmation.

Doesn't this make the entire scheme completely pointless? If an attacker compromises your email account then they can immediately disable 2 factor auth on your LastPass data.

Am I missing something?


  • @RichardPayne What do you want people to say? You've already figured out the hilarity of that scheme, and there's nothing to add to what you said, really. Yes, if you can disable 2factor via email, then anyone with access to your email can disable it. What a stupid idea. I don't like LastPass due to their cloud-architecture and this is another reason to avoid them.

  • I just wanted someone to confirm that I hadn't missed something obvious. It seems like such a weak scheme that why would anyone bother with it.

This discussion has been closed.