"Lastpass is storing the 2FA secret seed under a URL that can be derived from your password. This literally beats the entire purpose of 2FA which, as mentioned above, is a layer of security to prevent attackers already in possession of the password from logging in"

http://www.martinvigo.com/design-flaws-lastpass-2fa-implementation/