> I don't think it can be done without hurting seriously usability (like having one 2fa verification each time you use a credential would work)

I wouldn’t mind tapping a YubiKey or my MacBook‘s Touch ID every time a password is accessed from the vault. That’s essentially how ssh keys work with smartcards or security keys as a second factor.

Usually non-technical management are the ones that are against this kind of measures. This recent Passkeys initiative (that's what allows using secure enclave as a Webauthn key) is amazing though, I really hope it changes the game and maybe finally obsoletes passwords as a whole.

Also, as an aside. While correctly implemented Passkeys (without fallback auth methods) would make my life as a red teamer much harder, that would have only prevented this attack if the infected machine was engineer's private PC where they used corporate LastPass account and nothing else from their work. If the machine that's used for DevOps work gets infected, that's still and endgame because you're generating all sessions I need during your regular workday, so I don't really need the passwords / decrypted vault.

> like having one 2fa verification each time you use a credential would work

I'm interested in the technical idea here. You have a set of credentials encrypted with AES. So each vault item is encrypted with a symmetric key. How would you build a system to generate those keys using a rotating 2FA that isn't reversible by an attacker that can watch the entire process and can fake the timestamp or other elements on the computing device as needed?

I can see that you have code that enforces 2FA on each vault access, but that code is run on the local system, so it can be trivially bypassed by an attacker with root.

Don't store the encrypted passwords locally. Have them on a server that deliver them only against a valid otp/push notification confirmation on your phone/yubikey tap etc.

That's a valid solution, but I would not select a password vault that was dependent on network access. Offline access to secrets is important to me. Other people might feel differently, of course.

Absolutely agree with you. No offline access was one of the usability trade off I was referring to, that no one seems ready to make in practice.

The product I'm working on have had for a long time an option to require a second factor for each login which works a bit as at described (encrypted data are stored locally but also encrypted with a key that's stored on our servers and protected by 2fa), but at the vault level, rather than at the credential level (it doesn't protect against device compromise, but prevents brute forcing of local data for exemple. You do lose offline access) and the UX is already annoying enough that in practice this feature is very rarely used and we are regularly considering dropping it.

1Password has become really onerous to use in these days of Javascript front ends and PWA's that do norm-breaking things to the UI in a browser. I often get stuck in some sort of crazy loop trying to authenticate the browser plugin versus the app, and then have more frustrations with taps in the apps being re-captured back from the plugin. If any more frustration gets added to the workflow than I'm already experiencing, I'm going to abandon it for Apple's keychain, though I loathe the idea of letting Apple have this last piece of my personal data footprint.

Unfortunately I'm not sure I'm going to manage to sell you our product (and won't even make you the offense to try): we decided to drop our desktop apps alltogether a few years ago and we only have a browser plugin now. Also I don't think we support yubikey login anymore as a result :/ (which I think is what you are referring to by "tap").

I hope you find a product that works for you!