I am trying to follow @Leo’s advice and completely turning off SMS as 2FA where I can, including LastPass. I took a deep dive and found the following…
If you want to use the LastPass Authenticator app, it still allows you to send an SMS code. I cannot find any away to just use the LP Authenticator app only!! This is therefore a potential security flaw in using LP Authenticator!
In the multifactor option setup for LastPass Authenticator, it will not let you complete the setup unless you enter your mobile number, which it then verifies by sending a code to let you complete the setup.
And this is seperate from the SMS recovery option under the Security menu item.
So, the bottom line appears to be, you cannot avoid the SMS option unless you do not use the LastPass Authenticator.
It’s especially odd since you can remove SMS otherwise. I use Google Authenticator as backup and a Yubikey as my primary, and it does not require me to have SMS or account recovery phone number.
I suspect the LastPass Authenticator is intended to be “safe” for users. I am using 2FA on LastPass with “Google Authenticator” option, and there is no SMS for recovery. I don’t use the Google app, but that’s what LastPass calls the industry standard method which supports a wide variety of apps, such as Authy.
I’ve removed the SMS recovery account from LastPass. The only thing I use LastPass Authenticator for is for LastPass so I can just tap approve on my phone. Similarly, I have Microsoft Authenticator for my Microsoft account so I just tap approve on my phone or watch. Everything else is on Authy.
Hmmm, so it does. I just tried Duo and it uses SMS as backup too. I’ve disabled LastPass Authenticator as a 2FA method for LastPass now. Will just have to look at my phone for a code from Authy instead.