Warning: rage inspired ranting ahead....
TLDR; 2FA has made the login requirements on my PC's so difficult and irritating that I'm being driven into saving my password in plaintext on my desktop. (or finding another solution)
I though 2FA was a great idea to improve my password security. I thought it would make logging in more convenient, and secure. Instead, my browsers (on all of my PC's, Firefox & Chrome) plugins are now CONSTANTLY logged out. They log out randomly. They log out every time I lose internet connectivity. And to log back in, you'd think I could just use my fancy LastPass authenticatior app on my phone, right ? Nope. Actually, if you have 2FA on, you actually have to put your (longer, more complicated, more secure) master password in TWICE. Once to log in enough for the plugin to see that I have 2FA enabled, then again to get to the point that it sends a 2FA notification,. Oh, and if I'm offline? Despite setting it to allow offline 2FA, all I've done with that is introduce a 3-5 minute after entering the password the first time- and then.... guess what? ENTER PASSWORD AGAIN. My password is long, its complicated, its got lots of special characters. It's everything it's supposed to be. It's easy to mis-type (despite having had to type it well over 100 times since enabling 2FA). This is exactly the kind of password every user should have.
But last night, as I sat in bed on a touch-screen device trying to put my password in yet again, I had a genius idea to resolve this problem!!!!!
I had the same idea I bet every other user with 2FA has thought of at least once. I had the idea I bet every novice 2FA user has already done..... I have a PIN/password for my windows login, so I can just save my password in a text document on my desktop so I can just copy/paste the constant LastPass logins!!!!!!
No, the extreme stupidity of that idea does not need to be pointed out to me. That was sarcasm intended to convey the EXTREME USER-SIDE SECURITY VULNERABILITY situation that 2FA is creating. I used to recommend LastPass to my clients all the time. But I won't any more. Because my users are 'technically deficient' , and I already have a hard time getting them to memorize the master password as it is. The number of times I've had to talk someones Grandma through resetting their master password is ridiculous. The last thing I want to do is introduce this situation to them, because guaranteed at least 60% of them are going to have the same 'genius' idea I'm having.
LastPass needs to catch up with Microsoft and allow password-less (2FA) logins on devices which as already been logged in. Similar to 'remember this password' (I'd really love to have that back), once I establish that I'm logging into a secure environment, or at least one that I trust, I should have the ability to use 2FA instead of a password to log in. 2FA should defiantly, never, ever, cause me to have to login more than once (hell if internet is cut out, I've had to enter it 4 times before) And from a marketing perspective, allowing 2FA only with the LastPass Authentacitor App could push customers towards installing and using Authenticator- which in turn moves them further into dependency/need to use your ecosystem- which generates sales.
Now, I'll admit that I'm a bit of a technical user. I'm very often working offline, or on an isolated network without internet access. So yeah, the situation is a bit worse for me. But it's still there, and it needs to be fixed ASAP. 2FA never should have been allowed out of Beta in this condition. Hell, it never should have made it into Beta like this. But being a technical user, I can tell you right now my next task today is to see if I can find a password-less enabled password management system. In fact, I'm pretty sure I recently saw my MS Authenticatior asking to take over password management for me. So their offering 2 big convience factors you are not- 1) Having my password managment tied to my existing MS ecosystem. 2) Password less, quick and easy logins with an option to enter the password instead of using 2FA.
Ok, I feel better having let my anger out somewhere that possibly could be seen by the developers at LastPass. And it's probably been already brought up, I honestly didn't even check. I'm just very irritated right now. I never did get into my account of my touchscreen last night, and I missed an evening email that I really should have responded to yesterday because of it.
