[mastazi]

- Disable Lastpass MFA and use Google Authenticator (Authy)

could you please explain this point? Isn't LastPass Authenticator equivalent to Google Authenticator, Authy or any other TOTP app? Or is there something that makes it less secure than other apps? Perhaps because it has cloud backups?

[trajcek]

Honestly after the scare it just seemed stupid that I chose LastPass' own MFA for my LastPass account. Also if they really did get exploited, no idea what it means for their MFA solution.

[stjohnswarts]

When you do authy (or google auth) it will generate a new set of keys for you and shutdown any old ones associated with the lastpass stuff thus making the old keys useless. Also obviously he should change his master password to a new one.

[mastazi]

> When you do authy (or google auth) it will generate a new set of keys for you and shutdown any old ones

wouldn't it be the same if you were going the other way around? E.g. switching from Authy to Lastpass Authenticator

[macrolime]

Lastpass MFA is not at all like Google Authenticator. The codes in Lastpass Authenticator are optional and can be bypassed. It's not secure at all.

[mastazi]

> are optional and can be bypassed.

How so? Are you saying that if I sign up for example to Dropbox and use Lastpass Authenticator for the 2FA, there is a way for me to log into Dropbox without retrieving the code from LastPass Authenticator? How would that work?