[gregsadetsky]

I'm the OP from yesterday's story.

I had 2fa enabled on my LastPass account, but didn't have access to the phone anymore. I clicked a link, LP sent me an email, and I was able (through that email) to remove 2fa.

It doesn't make their 2fa completely useless, but it's not great.

[staticassertion]

That sounds fine to me tbh. It's worth knowing, but it's not weak. Email is a pretty good 2FA in terms of security, it's just not great in terms of usability, so it makes for a good fallback.

Attacker with MP + email access is pretty severe.

I wish more services used email as a 2FA instead of SMS.