I was just thinking, that I really liked about NordPass was it used multiple 2FA, and changed the order of the passwords, so it used your PhoneNumber/2FA app of your choice, and then an Email 2FA code that it sent you, and then after you verified both pieces of information we you able to enter the master password.
I really like this order, as It requires somebody to enter a 2FA code prior to trying to guess your Master Password, Even if this is completed with only 1 2FA code similar to how BitWarden works currently, but instead of having it after the masterpass, moving it to the front would be a huge step up in security for the MasterPassword.
A way this could be done is to simply change the Password field to 2FA field on the website and Login screens, based on the Email. Then once that’s verified then it would ask for the MasterPassword, or potentially a second 2FA code from either a Text/Email for a new device.
I believe what there doing is using the 2FA codeS as a first level encryption key, and then having the master-pass as the final encryption key to access the account.
Personally, I wouldn’t think that requiring a 2FA before the master password would be a very good idea, because attackers could easily find out who has the 2FA enabled and who does not, which be a real disaster to those who just trust in the strength of a single master password…
Well, 1st of all, 2FA should be default requirement for password management system.
2nd, the master password is to use as the encryption, I am not feeling too comfortable to typing it all day long in front of any environments. Did you guys think about that there are millions CCTV/web cam/prying eyes around us all day long? Someone could see your email and password just over the shoulders. If it is recorded, they can easily replay until they figure out your password. So, master password is our weakest link if you think about it, no matter how good it is.
These days, I am using another password management software to house my master password. But I don’t know how many layers I can really do to be secured truly.