[nicolasehrhardt]

If you remove the password, how is that a two factor? The day you loose your phone/get robbed could lead to your worst nightmares. Definitely would never opt-in. I loose my phone all the time (I know...), but I am pretty sure I am not the only one.

[csixty4]

The factors are shifted to the phone. The Clef app on your phone is protected by a PIN (separate from your lock screen code) or TouchID on iOS. Each instance of the app is registered with Clef so you can revoke an individual device.

[e12e]

Yeah, well. "protected" by a PIN. You're implying that if someone gets hold of the phone/mirrors the storage, they can't get at the clef secret key because of the "pin". That's probably not true.

I think (pragmatically) phone's can be "something you have" -- but except for a pin/passphrase that actually unlocks the full-device encryption on the phone -- nothing you do with the phone to access a secret key can be considered a second-factor "something you know".

Last I heard iphones have a decent storage for secrets, in the sense that you can't get at them except by using the phone to bruteforce the pin (and get into the trusted storage/unlock the key). It's been a while -- maybe iphone 5/6 are better though. But I doubt it. Android devices in general have no such luxury -- on the other hand one can/should use a complex pass-phrase when enabling FDE, similar to other "soft" FDE-solutins, like cryptsetup for Linux. There's host of possible attack vectors, like subverting the BIOS/bootloader, getting at the juicy bits if the phone is booted up/the device decrypted, probably possible to do cold boot attacks etc...

At any rate, claiming that anything stored in an app is "secure" beyond the basic security of the phone -- is probably just wrong. That doesn't mean a pin is useless, it's just not really "two-factor".