Hi. Posting as I’m out of ideas.
I need to contact Lastpass support. I’ve been trying to log into the site but my password isnt working. I’ve gone through the account recovery process and give it the number it’s texts my cell phone. I put the code in, click verify and it immediately tells me the link is expired and to try again.
I’m at a loss. If you need to log in to get support…but you can’t log in…how do you get support?
The whole point of TOTP-based 2FA is that you aren't susceptible to social engineering attacks on your phone provider, guaranteeing you safe generation of 2FA codes even in an offline environment.
Now I'm flabbergasted to see that LastPass forces you to enter a phone number in their LastPass authenticator app for recovery?
Why on Earth did anyone think this was a good idea? If you lose your device, you should be able to lock into your LastPass account via a security email and recover your LastPass authenticator backup from there. I don't see the point of having a highly insecure phone number in there.. I want to be able to OPT-OUT on this!
Yes, it is a slight security risk, for the reason Conor Mancone points out. But no, it does not mean that LastPass stores your master password on their servers, and would-be hackers need to do more than just obtain the recovery SMS.
To use SMS recovery, you must have access to a computer and browser where you have previously used LastPass. LastPass generates and stores a recovery one-time password (rOTP) on your computer when you log in the first time on a new computer/browser. This rOTP essentially works like a second master password and is only stored locally on your computer, but is disabled until you request account recovery. The recovery SMS just activates the rOTP, allowing you to access and decrypt your vault using it, after which you can reencrypt it using a new master password of your choice (the rOTP is disabled permanently after being used once).
Without access to a computer where you have previously used LastPass, SMS recovery won't work. This means that any hackers or LastPass employees that want to use it to access your vault would first have to get access to a computer where you previously logged into LastPass, and where you haven't taken steps to delete any traces it left behind.
More details are in the blog post announcing the SMS recovery feature. The LastPass help file you cite unfortunately is ambiguous and confusing on the rOTP part.
A more technical (and less ambiguous) description can be found in the LastPass Technical Whitepaper (I'm not sure that link is stable, so click "Technical White Paper" at the bottom of the Overview of LastPass Enterprise if it's broken). See page 10, under "Recovery".
Note
This answer discusses some important caveats to keep in mind for systems like this in general, but misses relevant details about the implementation of LastPass' recovery system. For more details specific to LastPass, see @korsbakken's excellent answer.
The real risk
Yes, it is a security risk, and it doesn't have to have anything to do with how they make password recovery possible on their end. It has to do with the simple fact that SMS is not a secure channel for 2FA or account recovery, a fact that has been making a lot of waves in the news recently. Here is an article where security researchers intercept SMS travelling in the mobile networks:
https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin
But another common (and relatively easy) attack method is something called SIM swapping:
https://www.digitaltrends.com/mobile/sim-swap-fraud-explained/
There are more options I'm sure, but they all have the same effect: a determined attacker has many ways to intercept the text messages of a target for a long enough time period to intercept account recovery in cases like this. In practice if an attacker wanted access to your account, knew that you had SMS recovery on your LastPass account, and also knew your phone number then they would execute one of the above attacks against your cell phone carrier, request a reset from LastPass, and immediately reset your LastPass master password to something of their choosing. They now have full access to all your passwords. If they are feeling especially vindictive they can probably even permanently shut you out of all your accounts (by turning off account recovery and then changing your master password once again).
LastPass Employees
Of course your primary concern was LastPass employees. That question, however, is much more difficult to answer. The answer depends on what sort of access controls they have internally inside their own systems. Certainly your general suspicion is correct: if a password reset is possible then they must in some way have access to your master password file (probably only if you turn on account recovery though, since they say it only works if you turn on account recovery first). This does mean that the LastPass system can potentially decrypt your passwords. However, this does not mean that employees can abuse it. Many companies, especially those storing sensitive data for end users, have many internal access controls that stop employees from gaining direct access to data from end-users. However, I doubt anyone here can tell you whether or not that is the case for LastPass.
In practice I would be far more concerned about the risks associated with account recovery over SMS than I would be over malicious LastPass employees. Either way LastPass says that account recovery is only possible if you have enabled it, so if you turn it off you should have nothing to worry about at all (unless you don't trust LastPass to be honest, in which case you need to figure out how to run a password manager yourself). Just don't forget your master password.