This is a great guide and it is a very good idea for people to do this.

It is important, however, for this community to understand that this 2FA solution is not the same thing as a Steem-specific 2FA solution (a solution which I describe along with other security improvements that I recommend for steemit.com and the Steem blockchain in this post).

For example, if your computer was hacked, you are only partially protected by using the 2FA in this guide. Partial is still better than nothing, so it is a good idea to enable it.

If the hacker installs a keylogger on your computer that sends the keystrokes back to them, then they will eventually compromise your LastPass master password the next time you log in. As @robrigo mentioned, the 2FA enabled in this guide will prevent the hacker from accessing your LastPass password database using that password alone, which is a great thing.

But if your computer is compromised, the hacker could theoretically install a tool that simply waits until the next time you unlock your LastPass database (this means both entering your master password and approving the log in with the Duo app) and then grabs all your passwords from the database. This would be a far more sophisticated attack (particularly if you use LastPass's password autofill feature rather than copying and pasting the password), but it is still a valid concern.

The ideal 2FA solution for Steemit would not allow a hacker to spend your funds even if they had complete root-level access to your desktop/laptop computer alone. This requires utilizing the sophisticated multisig capabilities already available in the Steem platform, and also a separate computer system providing 2FA services (likely by Steemit for example) that has one of the two keys for your account's active/posting authorities (the other of course being the one generated in the browser running on your desktop/laptop computer). In such a setup (where the 2FA service again used an app such as Duo on your smartphone for the authentication), the hacker would have to simultaneously compromise both your desktop/laptop and your smartphone, which is a much harder task than just compromising the desktop/laptop.

Note: They could also just compromise Steemit servers, grab their half of the multisig keys, and feed you malicious Javascript which steals your half of the multisig keys, but that is a threat that already exists today without multisig. The way around that would be to have a separate Steemit app existing outside of the browser that was signed by cold Steemit keys and in which the user has to explicitly approve upgrades to the app after the existing installation of the app verifies the upgrade software's signature is good. In such a case, a compromise of Steemit's online servers would functionally mean a graceful degradation of the 2FA system to the current 1FA system.