The quote is correct. It does not say they're not using a KDF or salting, which you seem to read into it? The keyfile is the "something you have" and the password "something you know", so two-factor checks out, even if it's not a time-based token that people expect nowadays (though TOTP is essentially the same but on another device, extracting time-based short codes from the long key to make it convenient to type over). No matter how good your KDF, a weak or reused password can still be crackable, so a key file can make sense even if you use a salted KDF

How is this different from just a keyfile?

Someone with the keyfile but without the password cannot decrypt?

> Do people usually store key material without encryption at rest?

As usual, depending on the threat model, yes, it can be very valid to store key material on a disk without encryption. Not everyone is Snowden.

PeaZip also uses a PBKDF (PBKDF2). No longer the latest and greatest, but fine.

I guess I agree with calling PBKDF2 fine, but it may be good to know the caveats:

- Just because it says it uses PBKDF2 doesn't mean it is strong. The strength fully depends on the number of rounds it uses, and especially in legacy (>10 years old) software I see it a lot that some amount of rounds are hardcoded which can now be computed in a few milliseconds on a CPU

- PBKDF2 gives the attacker a ~1000x speedup. If your CPU spends 2 seconds on computing the hash every time, an attacker with a run-of-the-mill GPU spends 2 milliseconds per guess (500 guesses per second). Using something like Bcrypt or Argon2, that speedup gets to iirc "only" 12x (so if you spend 2 seconds, the attacker spends ~170 milliseconds or 6 guesses per second). Iirc this speedup is due to GPU RAM being faster than the main RAM. So while PBKDF2 isn't great, it's also not like it's broken: this has been a known property since forever and it's still orders of magnitude better than a plain hash