AxCrypt is about strong encryption and real protection – not obfuscation. Your scenario with the compromised password is not possible to really mitigate by 2FA. As you say: “Easy peasy, decrypt the file using the same compromised password“.
That’s the thing – AxCrypt is about encryption. If the password to the encrypted data is compromised, the data is compromised as well. That’s the flip side of “If the password to the encrypted data is lost, the data is lost as well”. (There is no password reset with encryption, because the data itself is modified, it’s not about software “letting you in”).
AxCrypt is open source, and the algorithms are public and documented.
If we add 2FA, it just means the attacker will use a different implementation (or more likely, a trivially hacked version of our code) that just uses the compromised password to quietly decrypt the data.
You might feel safer with 2FA, but with AxCrypt it’s not about the feeling, it’s about the fact. The fact is:
If you lose your password, your data is lost.
If your password is compromised, your data is compromised (provided the attacker has access to the data of course).
Adding 2FA to our code doesn’t change that. It is trivial to bypass.
This is the difference between encryption and access control.
If you have data protected using access control under for example Windows, an attacker can mount the disk in a Linux computer and read the data at leisure – because Linux does not implement the access control in question.
If you have data protected with strong and properly implemented encryption, it does not matter where the data is attempted to be read, or using what software. The data is encrypted, access is not determined by software – regardless of how many factors are used to allow access, in the end it’s just software saying yes or no, and this can always be bypassed by having software that always says yes.