I was having an argument over 1password's 2fa support not being a second factor. (I don't think it is.) However, it is so much safer than not using 2fa. In similar terms U2F is amazing and keeps you from being phished and has a great challenge/response protocol, if that was implemented in 1password (or browsers themselves thank you!) we'd all be a lot safer than not using it at all.
In 2018 I'm using an app to take screenshots of QR codes to generate one time codes. It's a sad state of the art, we need to do better.
Afaiu 2fa primarily protects from password leaks on the part of the service and coincidentally some other kinds of leaks such as keylogging. Not so much from data theft on the user's side.
A different question, though, is whether a password keeper web service could leak passwords like any other service.
> Afaiu 2fa primarily protects from password leaks on the part of the service and coincidentally some other kinds of leaks such as keylogging. Not so much from data theft on the user's side.
2FA is meant to protect primarily against phishing. It happens to protect against some other attacks as well, but phishing is the primary motivation.
That's why physical U2F devices are considered the gold standard of authentication today - it's possible to phish a TOTP code, but it's very difficult to phish a U2F signature, and impossible to do so through a scalable, automated attack.
This is not true. 1Password could have a breach which exposes your master password. A hacker would then have access to your passwords, but not your 2fa. Even if you do not keep these items physically separated like a hardware token, it makes complete sense to have them be in different applications. For example, passwords in 1Password and tokens stored in Authy.
In 2018 I'm using an app to take screenshots of QR codes to generate one time codes. It's a sad state of the art, we need to do better.