From another thread…
There’s no real need for a 2nd factor at the kdbx level because the local client machine already has access to everything required to decrypt the Vault. 2FA is more suitable when utilised for services that require remote sign-in (some of which are online password managers). It can also offer protection against weak passwords - as you know (from discussion in the original thread and elsewhere), the KeePass format has inherent protection against this anyway, and Kee Vault offers even more already. I might consider enforcing a minimum password strength in future but would need to see some evidence that this adds something significant to the overall security of the system first.
Theoretically, the Kee Vault account authentication service could utilise 2FA but since your Vault is always encrypted and a compromise of this service doesn’t make it any more likely that your Vault will be broken into, the only real beneficiary of such a system would be Kee Vault Ltd (in terms of a further disincentive against fraudulent login attempts, DOS attacks, etc.)
When you say 2FA here, do you mean a key file or do you mean a different form of 2FA?
Both really. I’m not sure I see the need to consider key files as a separate form of MFA at this time but if you have some thoughts that lead to different security or usability trade-offs based upon different sources of MFA data, please feel free to elaborate.
The reason why I would like to use a keyfile/2FA is that passwords are inherently “short” and possibly “easy to guess”.
If my local machine is breached a keyfile wouldn’t make any difference. Its more about what happens when the cloud storage/ KeeVaultServer is breached. Chances of that happening are slim, but I’d rather be the single Point of failure for my Database and not rely on anybody else (and also have just myself to blame if anything happens).
If I understand correctly a keyfile is like a second really long password needed for decrypting the database. And even with a “weak” password the chances of breaking the encryption of a database without the keyfile are basically zero.
Although I want to use this feature. I don’t think it’s a viable option for Vault. Transferring the file from one device to the other is tedious and doesn’t "just work"™.
Having a keyfile to lock the database is something that would also make me more comfortable with my kdbx being in the cloud.
I dont mind moving a keyfile on the computers i use, maybe it could be an option, but not mandatory since most people probably wont bother with it.