Why does lastpass use the device and physical location as a security criteria even if the master password is correct?

Question

This answer might seem obvious from a security perspective, but from a functional perspective it's a disaster.

Simply lose or break your phone and you will be completely locked out from all your accounts, email, contacts, banking, google etc... This is what happened to me recently while travelling, my phone broke and even though I knew my master password, I could'nt log into my email, flight reservations, banking etc... from another laptop or phone, there was also no way to reset passwords. Yahoo recovery link went to Gmail, Gmail to the phone, none of which I could access. It really caused a lot of frustration and problems for the remainder of my trip.

I dont think it's sensible to add physical device and location as additional security criteria even if in 95% of cases it may improve security.

jepenny · Answer

See FAQ support article below. This feature has been in place since 2015.

https://support.lastpass.com/s/document-item?bundleId=lastpass&topicId=LastPass/c_lp_email_verification.html

savagedamian · Answer

Yes, if you log in from a different device, ip or location it sends an email which you need to click on the link to get in. However there's no way to do that if you lose your phone for example. It's security overkill it hinders rather than facilitates intended use. It pushes users to use simpler memorable email passwords for example in case they're locked out of lastpass.