How can we improve ProtonMail?

Temporarily store 2-step verification

As it’s already (welcome) extra work to enter two passwords, could 2-step verification be implemented so that known devices would only need to be verified again every 30 days or so?

At the moment, with 2-step verification enabled, even a page reload triggers triple authentication, which makes the added security a poor experience.

85 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    j9tj9t shared this idea  ·   ·  Admin →

    6 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Anonymous commented  · 

        +1 even as a "security conscious" user it feels very burdensome to enter the code from Google Authenticator every time. I'm perfectly willing to trust my (reasonably-secured) devices.

      • Anonymous commented  · 

        Definitely agree with this. Please implement a permanent "remember device", or an option to pick permanent or 30-day. (Yubikey would also be awesome!)

      • JCJC commented  · 

        I think 2-step is a great idea but are mobile phones secure enough in general for us to consider this? Most of them are made by know security violators like Google, Microsoft and Apple. The world is in desperate need of a solid Linux phone.

      • TonyTony commented  · 

        Love 2fa is enabled, but as it's been mentioned I'd like to have a trusted device.

        Mobile phones are trusted. Would be nice to have the same for a computer.

        I do think every device should have to re-enter every 30 days the key

      • Anonymous commented  · 

        I am definitely a fan of this. It is doable for Gmail, Facebook, AOL, LastPass, etc. There is no reason to use 2FA EVERY time you login. Getting my phone out is very unwelcome when really I want 2FA specifically for adding an additional layer of security on unrecognised devices rather than the device I use all the time.

      • Anonymous Visionary UserAnonymous Visionary User commented  · 

        Please consider enabling a time-limited (e.g. 7, 14, 30 day) setting for two-factor authentication for recognised hardware. I like the current two-factor authentication feature, but it becomes cumbersome across multiple devices in a high-use account. Conceptually enabling two factor trusted devices would not remove secondary passphrase functionality but only remove the two-factor authorisation requirement from recognised and pre-approved hardware for the time period chosen.

      Feedback and Knowledge Base