[daveidol]

1. 1Password requires a secret key[1] in addition to the master password to gain access on a new device - specifically to protect against weak/reused/leaked master passwords

2. You can add 2FA (well, technically 3FA if you need the secret key, master password, AND a rotating token) to your 1Password signin as well (I auth Authy for that purpose)

[1] https://support.1password.com/secret-key/

[jfrunyon]

The second factor for login to 1Password (or other password managers) protects you from people logging into your account officially, but not from vulnerabilities or inside action of the vendor.

1Password also seems able to bypass the secret key ("If you still can’t find your Secret Key, contact 1Password Support.") which means social engineering, phishing, and/or credential stuffing attacks are viable.

[programmarchy]

By implementing #1 and #2 seems like you would still have a layer of protection even if your master password get key-logged.