I get the purpose of the secret key, the additional entropy it adds as a sort of master key prefix or two part key.
What irks me, is, as near as I can figure, it only really serves to secure the database when it is centralized (your cloud, someone else's cloud, etc). If the secret key is in a browser cookie and only obfuscated, or buried in a native app, then that endpoint at least has part of the overall key (no, nsa is not after me, just thinking out loud).
So, why not use the master key to encrypt the secret key in the browser and the app? (the cookie ones really makes me scratch my head).
I'm sure I'm way off somewhere, which is why I came by for some clarity.
btw, trialing the app right now and the reviewers don't do it justice. Not that any of them get into the technical guts of it either. Its why I have lastpass to start but really started disliking it. The updated Elcom blog brought me this way. But you do need some more consistency across platforms (um, oh, about that security audit either in the web or the windows client... would be nice. Everyone else has got it).
And while we are at it, i get 2fA has nothing to do with encryption. But it would be a huge authorization and authentication peace of mind at the office.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Windows
Sync Type: 1password