Why can I bypass 2 Factor Authentication to login to the current site my browser is on?
To validate your multifactor token, multifactor authentication requires that you have an Internet connection: if you do not pass LastPass a correct multifactor token, LastPass will never release your encrypted data.
However, LastPass also has an 'Offline Mode': it keeps a locally cached encrypted copy of your data on your local device so that you'll still be able to access your data even in the event that you do not have Internet access.
On some connections, when you log in to LastPass you are logged in offline to the locally cached copy of your data before it can authenticate online. As a result, you might experience cases where LastPass will fill in the credentials for the current page you are on before you provide us your LastPass multifactor token.
Note: This is only possible on a computer with LastPass installed where you have previously logged in. You will never see this behavior on a computer where you have never used LastPass before.
If you want to prevent this behavior, do the following:
Clear your Local Cache after each browser session:
- Log into LastPass
- Click on the LastPass Icon > More Options > Advanced > Clear local cache
- Logoff LastPass
or Disable Offline Mode
- Go to your account settings.
- Click on the Multifactor Tab
- Toggle 'Permit Offline Access' to 'Disallow'