
Especially something I get such value from. As I use it on my laptop and my mobile and tablet devices I now have to pay to continue using it across devices. If you stick with the free tier, you can only use LastPass on one type of device. On 16th February, LastPass announced changes to their free product, which I what I use. I don't recall much in the way of lost functionality from not paying, so I never got round to doing so again. I stopped paying because my card expired, and I never got round to updating the details. I have also previously paid for the product. I know I have an invoice from them from 2013, so I've been a user for their product for at least 7 years. Not a great solution.LastPass has been my go-to password manager for as long as I can remember. SMS to recover is a major liability.Īn example of how NOT to do things on a popular website is Coinbase, which allows one FIDO device and only allows SMS as a recovery mechanism.

One time passwords to recover are also nice. If you're going to do Webauthn, please allow users to add multiple instances, much like how Microsoft allows you to have multiple browsers, hardware keys, etc. I use LastPass on my phone (Chrome), Macbook Pro (Chrome, Firefox, Safari), and Windows machine (Firefox). secure enclave, etc.) Ideally I'd like to be able to configure Webauthn to work from *multiple* browsers on *multiple* computers.

Numerous browsers now support Webauthn on phones and computers where the environment has been deemed secure (i.e. Thankfully that is not required for LastPass currently.

Webauthn with SMS recovery is basically a huge security risk at this point. I now view SMS messages as an account recovery option as a liability since it has been shown recently how easy it is to hijack a phone number (Google search for recent accounts of this).

In addition to the security concerns already mentioned, I'll bring up another few points.
