Here's the thing. I and many other people who write about security, along with many (not all) folks who work in the security industry use the terms "two-step" and "two-factor" interchangeably, which is confusing. Technically, all two-factor authentication requires two steps. But not all two-step verification employs two factors! This 1Password update emphasizes that difference.
In most cases, the split in risk happens between remote attacks, in which someone cracks a site or your account without being in proximity to you, and physical access attacks, in which someone can obtain your device. With 1Password, you can be remotely exploited in the right (or, rather, wrong) rare circumstance as well.
With true two factor, the two elements are physically separate. The password is, say, in my head, and the SMS message comes via my phone, or I receive a Find My iPhone notification from Apple to validate my Apple ID login. Or I store the password in 1Password, but use Authy with Touch ID to unlock the one-time password. AgileBits argues that having both factors on the same device eliminates the benefit. I'd argue using biometrics for one — with a unique and strong password not stored in 1Password if the recognition fails — and a password for the other separates it enough.
When you merge factors into one place, you lose the benefit of resistance to physical exploitation, but retain the remote one. And even with physical access, they need your password (or fingerprint).
Dear reader, the sophistication that drives you to read this excellent publication may have you tut-tut my previous paragraph. Surely, everyone should enable a second factor and should do it correctly, for the best protection! But because so many people pick weak passwords and because not all sites are exploit-free in how they throttle attempts to crack passwords or prevent their password data from being obtained, a one-time password as a second step is far better than nothing at all, even if using it as a second factor would be superior.
AgileBits' inclusion of TOTP tokens means that someone who otherwise might have skipped enabling two-step verification because of the fuss or management issues now does so, and achieves a substantial bump up in their account's integrity against compromise.
There is one path for exploiting 1Password's new feature remotely, although I feel it's quite unlikely. If you use 1Password's sync features with Dropbox (all versions) or iCloud (iOS/OS X only, and the Mac App Store version of 1Password is required for OS X), someone could conceivably obtain a copy of your vault — the encrypted package of all your password data. If that person had your cloud credentials, your vault, and your password, they would be able to then obtain your two-step password and TOTP.
Sign up for CIO Asia eNewsletters.