[mdaniel]

> This appears to also be the case for 1password and bitwarden, so not specifically a lastpass failure.

It is currently(?) the case for Bitwarden, yes, but that's incorrect for 1Password, as they have client-only key material that is never transmitted to the cloud: https://blog.1password.com/what-the-secret-key-does/

[alex-]

Yes, a secret key like this could have made this breach much less concerning. Assuming you trust the company to not also lose this data (that they generate and claim to not store). What I was really hoping to find was a paid, cross platform, cloud sync'ed solution that can be setup to require your password and physical key to decrypt. i.e. have 2FA protection from a data breach like this.

[mdaniel]

There's nothing that I'm aware of preventing one from putting the secret key material on a hardware wallet of your comfort level and having it type in the encoded value when signing onto a new device (the way the Yubikey pretends to be a keyboard when plugged in); obviously(?) 1Password is not incentivized to own such a complex workflow but there's nothing that I can see stopping you from doing it. FWIW they also support 2FA on login, which is different from the secret key to unlock the vault, so ... 3FA?

With regard to the "claim not not store" part, they've had multiple security audits including granting the auditor access to the underlying source code, so if there was something underhanded going on, I believe it would have gotten out by now: https://support.1password.com/security-assessments/

I'm with you that it's not as nice as open source clients, but given a choice between trusting 1Password with code I cannot see and trusting Bitwarden with code that I can see, I'm sticking with 1Password