"Smart Idiot Syndrome"

If you lose a second factor controlling the encryption of you vault data then you're screwed. The data can not be decrypted and if it could then the second factor would be worthless.

Nobody who is asking for modern MFA is asking for this. You are stuck in an old way of thinking. Customers want solutions, not excuses.

Regarding the implementation difference, there are 2 schools of thought- 2 camps I guess with strongly held views. In one- cloud is king. Centralized storage and management give you effortless cross-device productivity. In the other camp, cloud is a dangerous & insecure place for storing anything of value. Both are correct- but with recent hacks in the news the cloud side is taking a lot of heat. So in the password management arena you have someone like LastPass with a cloud-centric solution vs. 1Password with a solution where your data is never transmitted to AB. I understand the pros and cons of both- and I would suspect you are solidly in the keep-my-data-out-of-the-cloud camp. So this comment isn't for you- its for 1Password product management- which side do you think will win out? I think the writing is on the wall. As a customer, I want my implementation of password management to do everything for me. I don't want to have to implement alternate schemes of keeping copies of my vault in various places, backing it up, making sure each one has the same strong+unique pasword, uh, er, encryption key. I just want to use strong passwords for all of my websites and to be freed from the burden & risk of managing that.

There will always be a hyper-paranoid niche of users who will never put their passwords in the cloud. But does 1Password want to be the ultimate solution for this niche? Or the best solution for the whole world who want their password solution to be as effortless as possible?

As to the security of the cloud: if my passwords are securely encrypted why should it matter if they are stored on the cloud? I should be able to post my vault on my facebook page or in a public dropbox without fear. This gets into the value prop of the cloud vs. local storage debate. There are tradeoffs.

In their blogs, AgileBits themselves stated the main issue they get is people forgetting their master password. Of course, your MP should be strong, unique and changed often. Now I need to figure out how to not forget it, have secure copies of it stored (and updated) somewhere, and to make sure all my backup copies of my vault have the same secure password. AgileBits has blogs to give advice to users how to manage that. Yuck. I don't want to manage that. Thats what I'm buying software for.

Now, lets say I've just signed up to a very secure web site. I'm sitting in my local Starbucks and just transferred a million dollars to a new trading account. I create a super strong password with 1Password and store it in my local vault. But in order to log into 1P I had to get the little yellow sticky out of my wallet with my super strong 1P password. I stuck it to my Macbook keyboard, logged in and went about my business. But I'm getting a little drowsy and get up to order a quad-shot Americano. I'm only away for a minute, but I turn around and see that my laptop is gone. I have no way to log into my new account- but my thief sure does.

If 1Password were a cloud solution, I could simply log in and get my password from another computer- then go quickly change it before my thief realizes what he just got his hands on. But with 1P today I can't do that.

And if 1Password had a good MFA implementation, they'd have a way to deal with my compromised master password. I'd be able to log in without it, and change it so the thief wouldn't be able to take over my account. If the thief tried to do that before I could get to another computer, a good MFA implementation would prevent them from changing key pieces of info.

MFA at Facebook (and especially Google) isn't just about authenticating access to clear text in their database. Its about identity, chain of custody and reasonable allowances for delegation and assurance of continuity. Yes there are practices that the super secure-minded individuals can & should implement for that in their lives. But like I said, I don't want to do all that. I'm not so sure that AgileBits would claim they don't want or intend to be the solution for people like me. But their blog posts on the subject sure do say that.

Its not just about encryption- thats why I said what you are discussing is "old". Encryption is old-hat now. 1P is probably a good vault solution, but there are lots of ways I can do that including free ones. I want password management- and that includes the scenarios where I need to effortlessly sync passwords across my devices. If my vault is so secure, that shouldn't be a problem- and well thought out MFA helps make that secure even in a world of key loggers and trojan horses. If AB is going to compete in this market, they'll have to embrace the cloud. You can bet that in their product meetings they are talking about that right now (if not already implementing it). My beef with these posts are the black/white statements about MFA-- that if you lose your phone you would forever be locked out of your data (for example). Thats true if your "multi-factor" is part of the key and not part of the authentication and only stored locally (and don't tell me again that you're not authenticating- you are). But it doesn't have to be- thats the narrow thinking. In cloud vs local, cloud is going to win. Don't believe me? Just wait.

@RichardPayne‌ - some good info. I actually like the product. As someone in the technology industry myself, I simply see a common mistake playing out at AB. They have very smart people who are True Believers in their application model (which drives their business model, not vice versa). IMO the bulk of the market is saying that model is wrong. When you are putting that much energy into telling customers, over and over (for years even) that what they want is wrong, well there's a reason 1P is getting lower review ratings that their competitors even when the others have terrible interfaces!

This is really no different to using 1Password with a 2FA enabled Dropbox account since AB does not require online registration in order to use their software.

For a singe user, the differences are small, yet significant- both pros and cons of a service model vs. local app model. For someone that has to roll this out to multiple users, the difference adds complexity & cost that I don't want to deal with. Its not even really an MFA issue I guess, except that I'd expect a service model to have solid MFA.

There is some validity to your argument that this makes LP easier to use, but at the expense of flexibilty. That is choice for the user and I see no harm in AB and LP serving slightly different segments ofvthe market.

There's segments of the market that are very security conscious, understand encryption, manage their safe lock boxes etc. These people are probably concerned about some of the issues you raised- discoverability (legal) for example. This category would include some powerful, rich & tech savvy people-- and also drug dealers and terrorists haha. Then there's everybody else- people who just want to make their digital lives manageable and keep hackers out of their facebook and online bank, and companies who need to find a way to make strong passwords manageable for their employees. Of course, AB can choose their market segment.

Should be too hard to memorise the 6 or 7 words needed for a strong diceware phrase.

Try telling that to my employees and business partners.

Ignoring the fact that 1Password syncs pretty effortlessly using Dropbox, I get it. You want to sacrifice control of your data for slightly less setup work. That's fine, and it's a choice.

I suppose thats the crux of it. In the trade-off between control of data and manageability for multiple users, I need manageability & simplicity first. I expect AB (or any service provider) to implement things as securely as they can, of course. As for law enforcement / discoverability - I don't plan on using 1P for anything where I'll some day be telling LE "sorry I just don't remember that password anymore" to prevent them from getting access. If my employees do, then I'd want to cooperate with LE and give them what they need. Of course, it doesn't have to be LE. It could be a lawsuit from a customer or competitor or whatever. In this case, I don't see hiding passwords as a viable strategy to avoid the consequences of legal action. If I were in the market for secure document storage for things like that, I'd understand that point and we do have some corporate documents stored, for example, in safe deposit boxes etc. Thats just not the product I'm looking for here. I'm looking for secure password management for myself and my employees, and I expect to have MFA as an added layer of security & support for lost/compromised master passwords. I'm not looking for something thats NSA-proof for the hyper vigilant and tech savvy experts. Even for myself, though I have the technical knowledge to manage that, I just want simplification.

That's because you're talking about MFA in a context which doesn't apply to 1Password yet. What your beef is actually with is their entire business model, but you cloyd that behind criticising their lack of MFA.

My beef with the product is lack of simple centralized management without requiring external tools & processes. My beef with the company is the blog posts here trying to tell me (customers in general) that my requirements are wrong. They are marketing to the masses but the mind-set of the blog posters here is geared toward the hyper-vigilant security savvy crowd. Probably my original post is a bit out of place (who am I to tell them their business). But I really am looking for a solution and was kind of flabbergasted by what I was reading here. I've seen this happen in companies before and it doesn't end well. Are they interested in my unsolicited free advice? Dunno. Given the views on this post I'm guessing it will stir some conversation. I'd delete the post if I were them haha. TBH, I would have sent a private email if I could find their contacts somewhere.

My ideal solution would:

• Allow me to purchase licenses for my employees and invite them to sign up easily, with little intervention from me- but the ability to track signups. Employees could optionally get personal accounts to manage their personal identities separate from the company.

• Provide me with a few training videos for the employees- an introduction, a more detailed setup video and a power-user video would be great.

• Would be both simple to use and not unnecessarily obtrusive. 1P is better than LP here.
• Would integrate well in the browsers and apps. This is where LastPass fails. At first I kind of liked the little asterisk they add to login fields. But after a while it was conflicting with the browsers own password management and causing confusion. For example there were some times where I wasn't sure if the strong password got set + remembered or not. It never actually failed where the password LP remembered was the wrong one, but there was confusion.
• Should quickly & easily capture passwords to get everything under control-- then progressively encourage/enforce transition to strong passwords. LP is far ahead of 1P here. They get all the passwords out of your keychain and put them under control. Very cool feature and it worked great.
• Would work seamlessly nearly everywhere. LP has a slight edge of 1P here- there are a few sites where I have to copy & paste passwords manually with 1P and I haven't encountered that with LP. I plan to post that info on another thread for product feedback to them.
• Allow me to set company policies about: which sites to enable (though I'd probably just enable everything), password policies, etc. - and the ability to revoke access to the service at any time. This is why users should be encouraged to manage their personal stuff separately.
• LP is actually moving toward a full identity management service- they provide a SAML identity service that can be used for SSO. This is interesting- not what I was looking for but potentially useful. I think some of the cloud apps I use support SAML auth.
• Integration with various identity providers. Google, for example, though MS would be good too. We'll probably standardize on Google for identity management. When we get bigger we'll of course likely implement our own, but its nice to not have to deal with LDAP/AD for now. We currently use cloud apps from several different vendors- I don't really plan to ever bring these on-premise but eventually I'd like clean SSO with all of them. For now, a good tool for managing strong passwords across them is good enough.
• Support for MFA in the administration of the service, and MFA for user's master passwords. Ideally, they ability to selectively enforce MFA policies. Of course, an MFA solution has to be a well thought out one, not one where you are forever screwed if you lose an access code or something. I'm not even interested in talking about split keys or anything like that. Its just got to work and be recoverable. I really like what Facebook and Google are doing around this.
• A personalized domain would be good: mycompany.agilebits.com would be pl. But securityportal.mycompany.com would be even better (which would make SSL a challenge/cost but it would be doable).

With the exception of that last one, this is pretty much a feature list of LastPass. They just don't have UX in their DNA (another common issue). 1P does and I'd give up a lot of the ideal solution just for the UX- since it will make a difference in whether it gets used or not. But its got to be easily manageable and not require people to become security experts and buy into a hyper-vigilant paranoid mind-set.