How can we improve ProtonMail?

Temporarily store 2-step verification

As it’s already (welcome) extra work to enter two passwords, could 2-step verification be implemented so that known devices would only need to be verified again every 30 days or so?

At the moment, with 2-step verification enabled, even a page reload triggers triple authentication, which makes the added security a poor experience.

230 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    j9t shared this idea  ·   ·  Admin →

    12 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • James commented  · 

        This is essential, especially with the only method for performing 2FA being TOTP.

        This would be slightly more tolerable if FIDO U2F keys were supported, but only slightly.

        Honestly, reaching for the phone to get a TOTP code __EVERY_TIME__ I open a new tab is really counter productive to a daily workflow involving ProtonMail.

        I have many services that use TOTP codes... and this is the _only_ one that doesn't provide the "Trust this device" mechanism.

      • Joaquim Barrera commented  · 

        Today I disabled 2FA because the annoyance of entering the TOTP every time I close the browser. Please implement a "Trust this device for the next 30 days" option.

      • Julian Benner commented  · 

        Having to enter the 2FA code every time is especially annoying on Linux where there is no ProtonMail bridge yet. Please add this asap!

      • FakeCake commented  · 

        Last improvement for me before fully switching to ProtonMail :)

      • Aslanex commented  · 

        I'm afraid this excessive security makes ProtonMail too difficult to use and therefore 2FA is not widely used. Login remembering or at least 2FA remember is a need for good user experience.

      • Pierre commented  · 

        Hi, to me 2FA as OTP is useless if it has to be used at every webmail connection. I mean I won't search for my one time password on the phone every time I want to check my emails, it is a PAIN. Therefore I prefer having it disabled and wait for a "remember my device" option which is... sad.
        Gmail and other services have it implemented and let you choose whether to remember the device or not.

        Plus I don't think this is tricky to implement so please... :'-(

      • Anonymous commented  · 

        +1 even as a "security conscious" user it feels very burdensome to enter the code from Google Authenticator every time. I'm perfectly willing to trust my (reasonably-secured) devices.

      • Anonymous commented  · 

        Definitely agree with this. Please implement a permanent "remember device", or an option to pick permanent or 30-day. (Yubikey would also be awesome!)

      • JC commented  · 

        I think 2-step is a great idea but are mobile phones secure enough in general for us to consider this? Most of them are made by know security violators like Google, Microsoft and Apple. The world is in desperate need of a solid Linux phone.

      • Tony commented  · 

        Love 2fa is enabled, but as it's been mentioned I'd like to have a trusted device.

        Mobile phones are trusted. Would be nice to have the same for a computer.

        I do think every device should have to re-enter every 30 days the key

      • Anonymous commented  · 

        I am definitely a fan of this. It is doable for Gmail, Facebook, AOL, LastPass, etc. There is no reason to use 2FA EVERY time you login. Getting my phone out is very unwelcome when really I want 2FA specifically for adding an additional layer of security on unrecognised devices rather than the device I use all the time.

      • Anonymous Visionary User commented  · 

        Please consider enabling a time-limited (e.g. 7, 14, 30 day) setting for two-factor authentication for recognised hardware. I like the current two-factor authentication feature, but it becomes cumbersome across multiple devices in a high-use account. Conceptually enabling two factor trusted devices would not remove secondary passphrase functionality but only remove the two-factor authorisation requirement from recognised and pre-approved hardware for the time period chosen.

      Feedback and Knowledge Base