It's not really a password manager--there's no shared secrets. The site identifies you by a public key. For authentication, it gives you a nonce, and you sign it with the corresponding private key. All the secrets are kept on your device.
I've wondered about the "something I know" dimension as well. Perhaps a passphrase could be used (it already is used to secure the master key). It'd still be a major improvement, as only your local device would need it, and you wouldn't have to have a separate password for each site.
Right; I guess password manager was a bit of an over simplification there - sorry about that, as was the fingerprint analogy - I guess it's more a concern of someone having my phone and thus instant access. An additional factor would help with that by bringing in the "something I know" dimension.
Yeah, that's a concern of mine too. Looking deeper at the description, looks like he describes a passphrase-like "local password" on the "The user's view of the application" page [1]. Hopefully that would address that issue (at least as much as passphrases do for SSH keys).
(And no problem. If we were forced to comment using only precise terms, with no simplifications, comments would either be ridiculously long or nonexistent.)
I've wondered about the "something I know" dimension as well. Perhaps a passphrase could be used (it already is used to secure the master key). It'd still be a major improvement, as only your local device would need it, and you wouldn't have to have a separate password for each site.