Why not use 2 factor authentication to secure my 1Password Vault?

rickfillion

On behalf of Brenty, you're welcome.

Rick

wordy_bob

I have used 1password for years, but you are the only product on the market that doesn't support 2FA.
I have read your blogs from 2015 but as this is the only account I have without 2FA I will have to move.
U2F with yubikey would be cool.
Just a password doesn't work these days with so many keyboard loggers around everywhere.
Bye

Ben

@wordy_bob,

I hope before you make your decision you'll consider reviewing Rick's most excellent response here:

https://discussions.agilebits.com/discussion/comment/364163/#Comment_364163

Thanks.

Ben

Catalin1P

@alonagar

I just don't get it!

I think we got it but it is not secure as in some instances it can be turned off or bypassed when you perform the account recovery process.
2FA received via SMS can easily be breached by wiretapping or SIM cloning by national security agencies. I can give you an example from a researcher who bypassed 2FA. Read this article for more information. There are just a few instances where it is useful but the main point is that it does't encrypt your data. It just delays the inevitable.

wordy_bob

@ben Yes I have read all of the reasons that 1Password thinks it doesn't help and doesn't make things any more secure.

However, I disagree and so do almost every other major security player who deals will authentication. ATO is the major cyber crime of the moment and it is largely solved (or at least decreased) with 2FA. For this reason many of us think that something you have and something you know makes it slightly better - that is the definition of 2FA I am using in this case. That is why so many of us want 2FA.

You all disagree. That's ok but we customers have a choice so we will see how it turns out in the end.

@Catalin1P We all know that 2FA can be bypassed but that doesn't mean its not better than just a single password. For bank accounts it greatly increases security and largely makes phishing useless. Thats a good reason to use it. The fact your phone can be cloned (eg; SIM cloned) is not a reason not to use 2FA. You will be saying that we shouldn't encrypt our data next - because it is possible that someone can decrypt it?

Ben

@wordy_bob,

However, I disagree and so do almost every other major security player who deals will authentication.

That's the thing, though. We're not doing authentication at all (setting aside 1Password.com membership). I've seen no claims from major security players that 2FA would be helpful for 1Password, particularly in the context of non-1Password.com accounts. If you know of some, we'd be happy to see it.

With 1Password.com memberships we're doing two secret key derivation (2KSD): AgileBits Blog | 1Password is #LayerUp-ed with modern authentication

I'd be interested to hear what attack vector you feel 2FA in 1Password would prevent.

We're not arguing that 2FA isn't an important measure for some services, but it isn't the only solution, and isn't the right solution in all cases.

Ben

prime

IMO 2FA is useless for the stand alone apps. If you use Dropbox, you can turn on 2SA to protect Dropbox, and than that protects your 1Password vault. If you use iCloud, that also can be protected protected with 2SA. Other than that, why else would you need 2SA?

I see people use 2SA and end up using weaker passwords, because they think 2SA is the great protector. That isn't the point of 2SA at all. The person in this article had 2SA turned on, and was still hacked.

Another password manager who uses 2SA made 2SA it pointless....

Now the 1Password.com... does that need 2SA? Maybe. I rather have 2 encryption keys than 2SA, or maybe 2 encryption keys and 2SA?

Catalin1P

@wordy_bob

@Catalin1P We all know that 2FA can be bypassed but that doesn't mean its not better than just a single password. For bank accounts it greatly increases security and largely makes phishing useless. Thats a good reason to use it. The fact your phone can be cloned (eg; SIM cloned) is not a reason not to use 2FA. You will be saying that we shouldn't encrypt our data next - because it is possible that someone can decrypt it?

True, for banks it is ideal because it cannot be deactivated (at least my bank doesn't allow you to deactivate it) as it happen in other scenarios or with other password managers. I should also mention that my bank built this authentication system in the core of the system on which the bank runs + the code is never sent via sms and it cannot be stored on your smartphone either. In this situation it is ideal, but in situations where it can be bypassed or can simply be deactivated it is useless.

As far as I know the technology that is mostly used for encryption is, AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256 + encrypted traffic over TLS/SSL. This formula has never been cracked, even when hackers got their hands on the encrypted blobs those were useless without the necessary keys to decrypt it.

We shouldn't forget that 1Password uses the Secret Key, which itself is a Multi-factor authentication (MFA) method in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something both parties know), like your email address which you know it and the authentication mechanism knows it, I ask 1Password staff to correct me if I am mistaken at the email address part and (something I have but is not known by the authentication mechanism, I am the only one that knows about it since it is generated on my local machine), like my Secret Key and lastly my Master Password in the case of 1Password, which is also something that the authentication mechanism doesn't have knowledge of. In short both the Secret Key and Master Password are not transmitted to 1Password and therefore they cannot help you if you ever forget them.

Other password managers allow you to deactivate 2FA if you ever forget your master password and attempt to reset it, or you can follow some steps to revert, to change to your previous master password and lastly, they store some local One Time Password. This allows you to change your master password if you've logged into your password manager on one or more computers. To be more precise, the password manager saves this local One Time Password when you log for the first time on the computer through the PC/Mac app or the browser plugin of that password manager , which helps you with the reset process when you need it. The local One Time Password and other methods like, reverting the master password to the previously one that has been used makes 2FA useless in cases where your PC/Mac is stolen or some villain takes a quick peek at a shared PC/Mac because you forgot to log yourself off. I don't know if anyone uses public PC/Macs in the bars or cafe but I don't.

One last notice: Two-factor authentication is a type of multi-factor authentication. So 1Password uses 2FA in the form of Secret Key.

@prime Those articles are so good, it blends well with what I just wrote. By the way I gave a user on this forum a similar article about another password manager who uses 2FA and it turned out to be....pointless

AGAlumB

Thanks! I think it's helpful to discount email addresses since these are effectively public (even if we don't always share them with everyone, they inevitably get out). 2SKD is distinct from other multifactor options, so I don't blame those who argue that it isn't the same — it is different in some key ways, such as it is used to encrypt the data. But ultimately the most important thing for us in designing 1Password.com is to ensure that if everything else goes wrong and an attacker has the encrypted database that they cannot break into it. So that's the threat which the Secret Key is designed to protect against, which other methods cannot. Cheers! :)

[Deleted User]

For example.

I use 1password at work in my browser.
So all I have to put to log in is the password. 1 password.
Someone noticed how I typed the password to 1password but I do not know about it.
I have locked 1 password.
I left the computer.
Now it is enough that someone comes in, logs into a 1password and knows all my passwords.
With 2 factor authentication it would not be possible

AGAlumB

@DominikS: That's not true at all. They could just install malware that hijacks the session the next time you login. No form of multifactor authentication can protect you once someone else owns your machine. You're counting on the attacker being pretty dumb in order for that to help in the scenario you describe, and security needs to be designed with smart attackers in mind.

Ben

Hi @DariusR

I've split your post into its own thread in our 1Password Teams forum as I feel there is enough there that it warrants its on thread. You can find it here. Thanks.

Ben

DariusR

Thank you

Ben

:+1:

Ben

[Deleted User]

@brenty

Install malware is not so easy like just type Your password.
It not must to be owner of that pc.
1Password lock after time and that is good.
But when i forgot to lock my pc for a few minutes ang go for example to the toilet someone else could get all my passwords.
With 2 factor it's not so simple and I get info on my phone that someone try to loged on my account.
Why 1Password not want to add that like others ?
You are creating software for security and this is not secure.
Maybe this situation is not often but it is for me a security bug.

I'm testing some other company solution with 2 factor.
If it will be as usable as 1Password i will be moving to that solution from 1Password.
Because of missing 2 factor in 1Password.

prime

@DominikS please read this whole thread before thinking 2 factor is the end all in security, because it’s not.

Myself and others have posted how a few times 2 factor did nothing to protect data. One company (a password manager also) has 2 factor, and how they had it set up, it was actually 1 factor. The link to that article is a few posts up. And if you’re using SMS for the 2nd factor, forget it. It’s horrible.

vasilakisfil

I have read most of this thread but I am confused. I am member of my company's team and I can access all the secrets by going in company-name.1password.com and providing my (very strong indeed) password. How is that more secure ? It boils down to a simple password.

A good one-time-valid 2FA would mitigate attacks on my sole authentication credentials, i.e. my password, because the attacker would also require access to another device or mechanism and by staring at me won't be possible to get access to the company's vault.

Ruyven

If I understand correctly, it should only work from devices that are authenticated (which is the same as most 2FA implementations, once you authenticate a device, you can use it with only the password.) What happens if you log into company-name.1password.com from a computer / device you haven't used before?

Also, I have a further question to the AgileBits team: What I don't understand is if it's possible to log in from a device without authenticating it. Once you use a new device (like a public PC) you have to use an existing trusted device (like your smartphone) to authenticate it and 1Password will create a new account key for that device¹, right? Am I correct in assuming the only way to de-authenticate that device is to delete the account key for it after you're done? If so, can you do that remotely if you forgot to do it on the device?

¹ i.e. create it on the device and it never leaves the device

AGAlumB

Install malware is not so easy like just type Your password.

@DominikS: What I'm saying is that anyone with access enough to enter your Master Password into 1Password on your machine could also install malware there so they don't have to bother to find out your Master Password in the first place.

It not must to be owner of that pc.

If they have that kind of access to your machine, they can take it over. At that point they are the owner so far as the OS is concerned.

1Password lock after time and that is good. But when i forgot to lock my pc for a few minutes ang go for example to the toilet someone else could get all my passwords.

1Password cannot protect you if you give someone access to your machine. See above. Your data is encrypted when you're not using 1Password, but someone who has physical access could install malware to capture information as you access it. That's the concern. And authentication cannot prevent that.

With 2 factor it's not so simple and I get info on my phone that someone try to loged on my account. Why 1Password not want to add that like others ?

Because 1Password is designed to protect your data even if the attacker steals the database. That's why encryption is the foundation. With authentication, that has already been bypassed if they have the database. If and when we add a more traditional multifactor authentication, it will be in addition to that. But it has to be usable and offer an additional benefit to users, not just security theater, and another potential way for people to lock themselves out of their own data. That's important, because your data is of no use to you either if you cannot access it.

You are creating software for security and this is not secure. Maybe this situation is not often but it is for me a security bug.

Apart from our own efforts, we participate in external audits and cooperate with independent security researchers to find any flaws so we can fix them. You're welcome participate yourself and get paid for any security flaws you can find.

I'm testing some other company solution with 2 factor. If it will be as usable as 1Password i will be moving to that solution from 1Password. Because of missing 2 factor in 1Password.

I think it's a bit short-sighted to focus solely on "2 factor", but that's your prerogative. After all, it's your data! It's good that you're checking out all of your options, and that there's competition out there. It makes us all work harder. But you should check out our security whitepaper before you make a final decision, based on all of the information available to you. Cheers! :)

AGAlumB

I have read most of this thread but I am confused. I am member of my company's team and I can access all the secrets by going in company-name.1password.com and providing my (very strong indeed) password. How is that more secure ? It boils down to a simple password.

@vasilakisfil: I'd encourage you to not use a simple password, but a long, strong, unique one.

However, with 1Password.com, that isn't your sole protection. It's the most important, but we also use PBKDF2 to slow down brute force attempts against your Master Password...and since the (128-bit, randomly generated) Secret Key is also used to encrypt your data, an attacker would need to know that too. It's a pretty tall order, and makes it infeasible to break into your data on a human timescale.

A good one-time-valid 2FA would mitigate attacks on my sole authentication credentials, i.e. my password, because the attacker would also require access to another device or mechanism and by staring at me won't be possible to get access to the company's vault.

See above, as this isn't a single point of failure. But also don't assume that an attacker would need to access another device when it would be easiest and most efficient for them to perform an attack on one you have already authorized. The "bad guys" aren't stupid; they will take the path of least resistance.

[Deleted User]

@brenty

It is not so easy for any user to install malware on company computer when you have lock every port and almost everything on pc.
Type someone else password that i see is much easer.

2 factor auth have many implementation.
Better or wors but still it is better to have 1 level more then not.
For example if 1Password can work like now but I can turn on functionality that everytime when i log it to 1Password i have to give my Master Password and 2 factor auth.
Now it is only Master password.

prime

@DominikS

It is not so easy for any user to install malware on company computer when you have lock every port and almost everything on pc.
Type someone else password that i see is much easer.

It’s much easier than you think. I see it more than I need too.

AGAlumB

@prime: Likewise, I've seen enough things to know this isn't as rare as it can feel to many of us who have a technical background. Good security hygiene insulates us from a lot of threats that are commonplace for more people...and a security-oriented discussion on a forum like this is going to be self-selecting for people who fall into that category. :(

AGAlumB

@DominikS: It seems like we're just going around in circles here, as that's pretty much the same thing you said last time, ignoring all of my comments. Hopefully your devices are protected by strong passwords too, but yeah as far as 1Password you should be using a Master Password with strength appropriate to the risks you are likely to face with regard to being attacked personally. Authentication can be bypassed, most frequently using malware or social engineering, so again, we're not going to use that just to give 1Password users a false sense of security. It also isn't something we can add at all to local vaults — the topic of this discussion: "Why not use 2 factor authentication to secure my 1Password Vault?" — because there is no authentication. But, as mentioned previously, multiple times, Duo authentication is already available as a beta feature in 1Password Teams Pro accounts. And again, if that goes well, we may be able to offer something similar with other 1Password.com memberships in the future. But again, 1Password's security doesn't depend on authentication the way your other accounts do, and we're not going to be hasty about adding features that can harm more than they help if they're not done right. :(

InTheRealWorld

The attack vector that 2-Factor Authentication would help secure is the Web Interface and the installation of the program and subsequent data access on an attackers device. No one from 1PassWord has addressed the following to my satisfaction, and it seems like they are always skirting the issue... If a keylogger, camera, over the shoulder looker, or thief somehow gains your Email Address, Secret Key, and your Master Password, they can immediately access your Web Interface, and/or install the program and bring your passwords locally to their machine. If 2-Factor was available, they would also have to have stolen my device, without which they could NOT access the Web data, or add my account to their device. I don't think these scenarios are far fetched.

• A key logger could possibly get past security measures on your device, a camera or over looker could see your entries (remember Sneakers??, and I know they couldn't see the password in that case, but the concept is sound, which is why they tried it), or a thief could crack your "safe place" and steal your recovery sheet. As long as the 2-Factor Authenticator Secret Code is kept somewhere intelligently separate from the device and your recovery sheet, the 2-Factor solution will make any breach a more personal matter, where your device will need to be obtained. I find this kind of personal and physical attack is on a much different level than simple key logging or camera snooping; a garage door left open, a bike left unlocked, or the remote vectors of attack are on a different level mentally than breaking open the garage door, cutting a lock, or confronting someone directly to steal their physical device. Illegal entry, breaking and entering, and assault (like the 5 dollar wrench attack) are all distinct levels of criminality.

• A recovery sheet is much easier stolen than my phone, IMO. A safe place is often left unattended, for example while at work or on vacation, and you might not know that your stuff was stolen if you aren't there to see it for a while. Our phone, on the other hand, almost always stays in our immediate vicinity, more under our control than most any other item in our lives. It can be very hard to get a hold of without our knowing about it immediately, and then it is still password protected in itself, so the 2-Factor would not be immediately accessible either.

• What if you find yourself in the situation where you need to access the passwords on a machine you don't control, like a public, office, or friend's computer... any key logger, camera, or such would be harder to avoid. I know it isn't best practice to enter all this info on a foreign computer, and it would expose your secret key and your master password, but without the 2-Factor access those things would be useless to any other party, and would hinder unauthorized access until you could change the credentials. If the raw encrypted data was obtained, 2-Factor would not add security, I get it, but again, that would require an additional level of a breach, like direct computer access, or hacking 1PassWord or DropBox servers.

• Even SMS or email 2-Factor removes the access one more level. SMS can be breached in several ways, and the same goes for email, but it is still one more step that must be taken, and one more layer of security.

• Some of us CAN manage our records to assure data accessibility. Just because some people aren't adept at that shouldn't be a reason for forgoing extra or maximum security for everyone else; many people don't use a firewall, antivirus, complex or unique passwords, or keep the recovery sheet anywhere safer than a wallet or center console of a pickup truck, but that doesn't mean we should stop using passwords or password managers. It would be nice to decide for ourselves to utilize a 2-Factor option or not.

• There are always more sophisticated attacks that can negate 2-Factor, but the above are some of the easiest and require only basic skills, therefore, they could be said to be more common and realistic.

I know this is a lengthy post to state the obvious, but I don't see how 1PassWord has ever addressed these issues directly.

I really wish I could turn off the accessibility of my passwords on the web, or at least lock the access to the Web Interface with 2-Factor, and still utilize the backup, history, and syncing features of 1PassWord. I would also like to be able to prevent my data from being opened on a new device without confirmation from a 2-Factor system. I think Google Auth, SMS, or email 2-Factor does add a layer of security that mitigates the exposure in these scenarios, and I don't see how the current security philosophy of 1PassWord addresses these issues at all. I think it is the one glaring omission from the best password manager I have ever used.

InTheRealWorld

Regarding data accessibility, I would rather lose access to all of my data than have someone else obtain it.

InTheRealWorld

Also, I understand that there is no Authentication in the decryption process. I am referring to adding 2-Factor to web access, and also to the initial download that takes place when adding an account to a new device.

AGAlumB

The attack vector that 2-Factor Authentication would help secure is the Web Interface and the installation of the program and subsequent data access on an attackers device. No one from 1PassWord has addressed the following to my satisfaction, and it seems like they are always skirting the issue... If a keylogger, camera, over the shoulder looker, or thief somehow gains your Email Address, Secret Key, and your Master Password, they can immediately access your Web Interface, and/or install the program and bring your passwords locally to their machine.

@InTheRealWorld: I don't blame you for not reviewing the entire discussion (it's a bit on the long side!), but this has been discussed at length: In the real world, if someone has the ability to monitor your machine and capture your keystrokes, they can use the one-time password you enter there too...or just capture your data as you access it. So the scenario you're talking about sort of assumes that the attacker is just smart enough to get access to your machine, but too stupid to know what to do with that power. It's certainly possible, but it isn't something we want to design around.

If 2-Factor was available, they would also have to have stolen my device, without which they could NOT access the Web data, or add my account to their device. I don't think these scenarios are far fetched.

As mentioned previously, Duo authentication is a public beta feature in 1Password Teams Pro accounts, and it is used on another device as a second factor when signing into 1Password.com. Hence, it cannot be captured via the attack scenario described above because of that, and prevents an attacker from using captured account credentials to sign in and access administrative functions, which could be catastrophic to a team (for example, changing permissions to access data, or simply nuking the whole team).

Regarding data accessibility, I would rather lose access to all of my data than have someone else obtain it.

Me too, but the two of us can't speak for everyone. And I hear from a lot of folks who wish we could restore access to their data for them. Recovery is awesome and secure. It isn't something we can do for users though, and it is limited to families and teams, so we'd like to build on that to bring that benefit to more people — without compromising security or privacy by acting as a gatekeeper.

What if you find yourself in the situation where you need to access the passwords on a machine you don't control, like a public, office, or friend's computer... [...] Even SMS or email 2-Factor removes the access one more level. SMS can be breached in several ways, and the same goes for email, but it is still one more step that must be taken, and one more layer of security.

No. The whole thing is predicated on the machine you're entering this information into being compromised. None of these forms of authentication protect you in this scenario.

I really wish I could turn off the accessibility of my passwords on the web,

It's something we'd like to make possible one day, but at this time if we offered that you'd be locking yourself out of managing your account at all.

or at least lock the access to the Web Interface with 2-Factor, and still utilize the backup, history, and syncing features of 1PassWord.

This is possible already with Duo. And we'd like to add more options in the future as well.

I would also like to be able to prevent my data from being opened on a new device without confirmation from a 2-Factor system.

It's definitely something we can consider.

I think Google Auth, SMS, or email 2-Factor does add a layer of security that mitigates the exposure in these scenarios, and I don't see how the current security philosophy of 1PassWord addresses these issues at all. I think it is the one glaring omission from the best password manager I have ever used.

Your examples are plausible in that they could (and probably do) happen to people in certain professions, but I think we all need to be realistic about our personal threat model. For example, 90% of the fantasy scenarios you go over do not apply to me, and certainly to the vast majority of people. Maybe they are very real threats that you face. I don't know you, so I couldn't say. But even if that is the case, there are precautions you can take today which can mitigate them that do not rely on short one-time passwords. And of course anyone who could be the target of those kinds of attacks today could simply use a 1Password Teams Pro account with Duo and negate most of these scenarios to a large extent. Care is still needed though, as no security is absolute (we're all susceptible to a wrench, even if that isn't likely to be a threat we will face personally).

I'm sorry if this comes off as a bit adversarial, but if any of us are ever to rely on multifactor authentication (such as one-time passwords, which are the primary request here) for security to any extent (and many of us do for some of our accounts) we need to be honest about the role it can play, rather than ascribing to it capabilities which it does not have. That's the reason I have to disagree so strongly. If and when 1Password supports anything like this, it needs to be clear what benefits it actually offers. If people think it is a panacea which can cloak their data in impenetrable security (it isn't, and it can't), they'll take unnecessary risks (like signing in on untrusted machines). People ask about doing that now, and we're always quick to warn of the risks. If we perpetuate this "2FA" myth, it will just lead to disaster if people are emboldened by a belief that it can protect them even when they engage in this risky behaviour.

We're going to do more in this area, especially with regard to making more now-web-interface-only functions available in the native apps; and that will, in turn, allow us more granularity with regard to the sorts of security options you're asking for. But if we do exactly what you're asking now, it will not work, and make many people worse off as a result. Thanks for your feedback, and your patience — not only as we develop 1Password.com going forward, but also allowing me to drone on a bit. ;)

InTheRealWorld

Thanks for he response, brenty :) I did actually read everything in the whole thread, and it prompted me to write the above. I get that 2-Factor is not a Panacea of security.

You feel these scenarios are not realistic enough to build protection for, as they are very specific and not relevant to what most people need. That is why I wrote this, because it seems that every AgileBits company response has been adjusted for your own very specific security scenarios, justifying why 2-Factor doesn’t help. Eventually, it seems everyone else has given up because it’s like talking to a machine with an automated response, or a horse with side blinders.

For example, your scenario requires the attacker to have near real time access to your device while you are typing in the 2-Factor, so they could steal the code and enter it either before it expired (time-based) or before you finish typing it in and press the enter key (true one time based code.) I realize there are currently attacks that are real time enough to work within the 30-second time frame of time-based 2-Factor, but that is more rare, and requires real time access to a machine. True “one time passwords” are only valid for the ONE TIME they are entered, so once you complete the login, it wouldn’t do the attacker any good anyway, leaving less than 1-2 seconds for the attacker to grab your code before you press the final button. That attack has been dealt with somewhat as well by not requiring any button to be pressed to proceed with login as the code is typed in, where login is automatically completed when the last character is typed.

You seem to reference utilization of subpar implementations of 2-Factor, where codes are either not time based, or where codes are good for more than one use and could be entered first on one device, and then the same code is used again to log in to the second device of the attacker. Sure, weak 2-Factor would have limited efficacy. Time-based and true “one time use” does have real and useful applications, which a good portion of the world sees, and which AgileBits keeps coming up with specific, narrow scenarios where it wouldn’t make a difference, and then throwing it all out the window because of the limited failure modes of the weakest 2-Factor you could implement.

Your examples only invalidate weak 2-Factor when real time access is obtained. Strong 2-Factor would prevent access at a later time. So in the worst case scenario it might not make the difference, yet in many ways it could help with all but the most sophisticated attacks.

Whenever the attacker gains access to your stuff, it is only from that time forward that anything is compromised, so the scope of the exposure is limited by the timeframe of the exposure. I don’t type in my passwords with a keyboard directly to the websites I visit, ever; that is what the password manager is for, so I don’t have to type them. The only password I do type in is the password manager password. Someone could watch my computer for 6 months, and they would get little or no password info directly, although my password manager password would be typed in at least every 2 weeks. That would be the windfall. That is the vector of attack that the password managers actually create, and at some level 2-Factor helps mitigate that.

Over the shoulder, hidden camera, and off the shelf readily available key logger attacks don’t require much sophistication or intelligence. An attacker having the capability and intelligence to carry out one of those attacks, and at the same time not having the skills necessary to gain real time access to your device is very plausible.

At this time, 1PassWord has ZERO protection if credentials are compromised, which to me is 1-factor, not even 1.5 factor. The secret key helps, but it doesn’t remove the safe storage or typing factor. I don’t see how it can be reasonably argued that 1-factor can be as secure as 2-Factor, which by definition ADDS a layer of security. I could give out my LastPass credentials willy-nilly, and whoever got them would still have SOME difficulty to access the store. With 1PassWord it would be a done deal, as simple as using a keyboard.

People who travel, who you cater to with travel mode, are more exposed to scenarios where a laptop can be stolen from a a hotel room, or damaged beyond function in transit… there are times when getting access under any circumstances might be more important than waiting to regain access to a “safe” device. Strong 2-Factor would definitely help mitigate risks, and add to the security of a world-class password solution.

The benefit of 2-Factor does seem clear to those who are asking for it, and for the companies which have already implemented it. Just because you shoot down a handful out of dozens of scenarios doesn’t make the valid reasons less clear. I think the wholistic approach is to cover as may bases as possible, not just the bases you deem vulnerable. There are obvious, realistic, and valid bases left uncovered here, and nothing you can say changes that.

We can both come up with circumstantial scenarios where 2-Factor is either helpful or not, and we’re both right. I have read all of the AgileBits forum threads over the past 6 years or so discussing 2-Factor that I can find; most commenters see a use for this, and seem to be arguing to people with an ignorant prejudice about any usefulness of well implemented 2-Factor. I would not advocate RELYING solely on 2-Factor, but a good portion of the world believes it does ADD a useful layer of security, and the narrow circumstantial examples you use to negate it don’t consider the broader security applications, which are definitely valid. I will test out the Teams version, as it sounds like it does what I am looking for, although paying more and having to use more complex software for a feature that almost every other password manager includes in the base program is a work around, IMO, not a solution.

InTheRealWorld

The denial of any benefit of 2-Factor using these limited scenarios is why I say AgileBits is skirting the issue. It seems AgileBits just doesn't like it, and/or doesn't want to go to the trouble of development to implement a meaningful 2-Factor solution, and keeps trying to talk their way out of it. Meaningful 2-Factor solutions do exist, and can be implemented, and we see that it is worth the effort, regardless of the weak excuses that keep coming back to us.