Two passwords - a master password, and a secret key. That secret key comprises the phone or laptop with 1password configured being the "something you have" for MFA because it's basically the same as the TOTP seed value/QR code - that secret key is only used by the user when setting up a new device - similar to when a new TOTP MFA is set up.
My password manager requires a hardware token to log in. So now the second factor is "has a device I've logged into my password manager with, or the hardware token for the password manager".
> The whole point of 2FA is to have "2" independent pieces of data to verify logins. Gating 2FA behind a single password defeats the point.
Indeed.
It's also why I think U2F should be mandatory in way more places/sites/companies (it is in some, thankfully): you then need to physically have a Yubikey or similar and it's not possible anymore to trade security for convenience. It doesn't solve all security issues, but it's already a great step forward.
When you let people the choice, they'll pick the lazy, insecure, way.