We have enabled Duo 2FA for 1Password, and would like to provide some feedback. It does work, but I'm curious if there have been any discussion internally about making the setup more secure.
For example, right now with Duo 2FA, a mobile or desktop 1Password users can ignore the Duo 2FA prompt and still see all the vaults they have access to that have previously synced on the device. They might not get updates, but it still feels a bit insecure.
Some security model where the data is only shown on successful Duo prompt is probably what most customers want. There's also the situation where someone can have their Vault access removed, but as long as they don't reconnect to the internet with the various devices with cached information for that vault, they can export out the data.
Have there been any discussions about addressing security topics like this?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Security