I don't think this is accurate. It appears that the phpBB instance performs a redirect to a SAML login, meaning the login page where you're being asked for your master password is the regular login page.
Now, the fact that they have a web-based vault access requiring entry of your master password? Pretty bad, considering you can't disable it, and it's automatically activated even when just using the browser extension (at least as of a few years back, when I asked them to fix that.)
Now, the fact that they have a web-based vault access requiring entry of your master password? Pretty bad, considering you can't disable it, and it's automatically activated even when just using the browser extension (at least as of a few years back, when I asked them to fix that.)