[joshstrange]

I know 2FA is often described in this way but it's not the way I really use it or how your average person wants to use it IMHO. It's just a second piece of data that is needed to login, which does add significant security. Maybe I just don't oversee anything important enough but I don't actually want my digital security to be dependent on a single piece of hardware ever. Yes, I know about backup codes but where are you going to store those if not 1Password/alternative-manager? So for me I'm perfectly happy to keep my 2FA alongside my password in 1Password.

As for "If that 1Password master password is the only thing needed to gain access then you don't really have 2FA." it's not, unless they get access to a device you have logged into 1Password on in the past (and thus entered your secret key [0]). For me this stays true enough to "something I have". If someone has my phone/computer AND can guess my 1Password master password then things are already pretty bleak and they already have access to whatever other 2FA app I was using (Authy/GA).

Lastly 2FA falls apart if you share an account with a significant other (or a team). In 1Password I can just move that login to a shared vault or share that login individually and everyone can log in and use 2FA. I'm not sure what the alternative would be. Sure, if a product supports multiple accounts or even multiple 2FA's (I don't think I've ever seen the latter, at least in non-enterprise settings) there is a way to do this but most apps/SaaS/etc there isn't an alternative (other than disabling 2FA).

[0] https://support.1password.com/secret-key/

[toomanybeersies]

> backup codes but where are you going to store those

On a flash drive/SD card, or even printed out, and then stashed somewhere safe/secure (i.e. not in an unlocked drawer next to your desk)

[tialaramex]

Yes. I write them in a book. The book lives in a locked desk drawer.

My threat model does not include "Nation state adversary breaks into my home and... reads the contents of the book". If I annoy the Russians enough, presumably they would just try to outright murder me.

In contrast, "Person I annoyed online plans elaborate Internet revenge" is definitely a potential threat I want to cope with, as are "Scam email claiming to be from company I have account with", "Facebook lose everybody's passwords", and so on.

[fshbbdssbbgdd]

What about the “my house burns down along with all my devices” threat model?

[tialaramex]

In the event I die, most documents and other material are encrypted and so are now intentionally useless. My accounts are not intended to be "memorialized" or whatever. My net worth cashes out for a handful of people to split up as they choose, or if they can't/won't evenly between them.

If you meant somehow the building burns down and destroys all my possessions but leaves me miraculously alive, I lose access to a bunch of stuff. Nothing to be done about it.

But one of the Security Keys lives in my jeans pocket, so if I survive the fire in the regular way, by fleeing a burning building, I still have that Security Key. If I am wearing trousers. Not so many people actually flee naked, if the fire is going to kill you in the time it takes to pull jeans on you're probably just not making it out at all.