I'd much rather plug-in a specialized thumb drive or use a keyfile as a second layer over using my mobile device. I don't use two factor authentication myself as I tend to create separate accounts for each of my devices. For example, my Google account on my android smartphone is the same as my main google account on my desktop. I maintain unique pseudo identities for each device and don't connect to the same networks. But I'm a-typical. The average consumer would benefit from two-factor authentication and I agree it should be a mandatory. Though, I'd like to see more options. I store mine on a portable medium and only access my password manager when absolutely necessary. Otherwise, I try not to keep stuff stored locally. I think air-gap measures are still important to security, even if some hypothetical governmental agency has figured out how to get passed certain air gap measures. But I'd image that a lot of folks feel safe keeping it stored locally, especially since they can setup a long passphrase and/or keyfile to further restrict access. Coming from an information security perspective, physical access to a system and password database is never a good idea. No matter how secure your think the encryption and setup might be. But to each their own I guess.
An update on the hack that I have not seen published in here. https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
According to blog post they have already implemented it... I don't think there is much choice out there. E.g. http://www.safenet-inc.com/data-enc...luna-hsms-key-management/luna-sa-network-hsm/
It's not clear to me how an HSM would be used in conjunction with LastPass; do you understand it? Is this a solution for individuals?
I assume they want to further secure the data that was accessed in the hack with dedicated hardware more resilient to tampering. These devices can be configured for that. I am not sure we will ever discover the "what" and the "how", for obvious reasons. No, I don't see how this can be a solution for individuals.