Fully turning off SMS for LastPass - don't use LP Authenticator

I am trying to follow @Leo’s advice and completely turning off SMS as 2FA where I can, including LastPass. I took a deep dive and found the following…

If you want to use the LastPass Authenticator app, it still allows you to send an SMS code. I cannot find any away to just use the LP Authenticator app only!! This is therefore a potential security flaw in using LP Authenticator!

I also turned off SMS recovery.


In the multifactor option setup for LastPass Authenticator, it will not let you complete the setup unless you enter your mobile number, which it then verifies by sending a code to let you complete the setup.

And this is seperate from the SMS recovery option under the Security menu item.

So, the bottom line appears to be, you cannot avoid the SMS option unless you do not use the LastPass Authenticator.


Yep! And that is quite disappointing.

It’s especially odd since you can remove SMS otherwise. I use Google Authenticator as backup and a Yubikey as my primary, and it does not require me to have SMS or account recovery phone number.

1 Like

I suspect the LastPass Authenticator is intended to be “safe” for users. I am using 2FA on LastPass with “Google Authenticator” option, and there is no SMS for recovery. I don’t use the Google app, but that’s what LastPass calls the industry standard method which supports a wide variety of apps, such as Authy.

I’ve removed the SMS recovery account from LastPass. The only thing I use LastPass Authenticator for is for LastPass so I can just tap approve on my phone. Similarly, I have Microsoft Authenticator for my Microsoft account so I just tap approve on my phone or watch. Everything else is on Authy.

But not that if you use LP Authenticator, it still allows you to send an SMS for authenticating LP even if you turn off SMS recovery.

Hmmm, so it does. I just tried Duo and it uses SMS as backup too. I’ve disabled LastPass Authenticator as a 2FA method for LastPass now. Will just have to look at my phone for a code from Authy instead. :neutral_face:

Yes, and if you haven’t set up a backup 2FA, probably best to do the “grid”.

1 Like