Comment by jaffee

Two Factor doesn't mean 2 devices. Two factor generally has been thought of as "something you know, and something you have."

Let's do a quick threat model on putting both passwords and MFA tokens in a 1password vault.

1Password employees a recovery key + password login by default, and logging into a vault requires you to either have a device with the encrypted vault on it and your password, or have knowledge of your password and knowledge of your recovery key (normally in a file which makes it something you have) essentially traditional 2fa needed to log into a new device.

If someone steals your phone with 1password installed - they need your 1password to be able to access your credentials on the physical device. At that point they already have both your factors - your phone (have) and your password (know) - still protected by 2fa.

If someone manages to fully root your computer, they could wait until you unlock your vault and then extract your credentials. However, if you use traditional 2fa on a separate device - then they can just wait until you log into the target app, and then ride your session and get the same level of access to the target. While there may be a small difference in level of effort or how long it takes, the same access level is possible, and the requirements are that they have very privileged access to your operating system. Someone rooting the device that you login to services is grants them "single factor" access to your services when you access them.

There is some subtle differences between these, but except for situations where you have very high privileged requirements, at which point you should be using yubikeys or standalone MFA devices, using 1Password with OTP and password is very comparable to using a separate device for MFA.

I'm a previous red teamer and currently a blue teamer.

It was never meant to be two device authentication.