Browser AddOn bypassing 2FA and/or Yubikey protection of 1PW Account-Management website. Why?

Hey dragon1 👋🐲

What you're seeing here is actually completely intentional behavior, rather than what appears to be a security "loophole" -- let me explain a bit further:

1Password is primarily based on encryption, not authentication; This means that after you've already authenticated a device the first time (via two-factor authentication) and download your data, at that point it's your account password that ultimately protects your local data, as that is how it's encrypted and decrypted.

Authentication and encryption in the 1Password security model

Two-factor authentication protects against the download of your data in the unlikely event someone got ahold of both your account password and Secret Key, but since there's a local cache of your data on a trusted device (in this case, both the extension and desktop app you're signed into) two-factor authentication doesn't come into play at that point - the data's already there on the device, and only your account password can decrypt it.

TL;DR -- Once a device is authorized the first time, two-factor authentication is no longer required, unless the device is subsequently deauthorized through 1Password.com, or the browser/app's locally cached copy of the secret is cleared.