Temporarily store 2-step verification
As it’s already (welcome) extra work to enter two passwords, could 2-step verification be implemented so that known devices would only need to be verified again every 30 days or so?
At the moment, with 2-step verification enabled, even a page reload triggers triple authentication, which makes the added security a poor experience.
Julian Benner commented
Having to enter the 2FA code every time is especially annoying on Linux where there is no ProtonMail bridge yet. Please add this asap!
Last improvement for me before fully switching to ProtonMail :)
I'm afraid this excessive security makes ProtonMail too difficult to use and therefore 2FA is not widely used. Login remembering or at least 2FA remember is a need for good user experience.
Hi, to me 2FA as OTP is useless if it has to be used at every webmail connection. I mean I won't search for my one time password on the phone every time I want to check my emails, it is a PAIN. Therefore I prefer having it disabled and wait for a "remember my device" option which is... sad.
Gmail and other services have it implemented and let you choose whether to remember the device or not.
Plus I don't think this is tricky to implement so please... :'-(
+1 even as a "security conscious" user it feels very burdensome to enter the code from Google Authenticator every time. I'm perfectly willing to trust my (reasonably-secured) devices.
Definitely agree with this. Please implement a permanent "remember device", or an option to pick permanent or 30-day. (Yubikey would also be awesome!)
I think 2-step is a great idea but are mobile phones secure enough in general for us to consider this? Most of them are made by know security violators like Google, Microsoft and Apple. The world is in desperate need of a solid Linux phone.
Love 2fa is enabled, but as it's been mentioned I'd like to have a trusted device.
Mobile phones are trusted. Would be nice to have the same for a computer.
I do think every device should have to re-enter every 30 days the key
I am definitely a fan of this. It is doable for Gmail, Facebook, AOL, LastPass, etc. There is no reason to use 2FA EVERY time you login. Getting my phone out is very unwelcome when really I want 2FA specifically for adding an additional layer of security on unrecognised devices rather than the device I use all the time.
Anonymous Visionary User commented
Please consider enabling a time-limited (e.g. 7, 14, 30 day) setting for two-factor authentication for recognised hardware. I like the current two-factor authentication feature, but it becomes cumbersome across multiple devices in a high-use account. Conceptually enabling two factor trusted devices would not remove secondary passphrase functionality but only remove the two-factor authorisation requirement from recognised and pre-approved hardware for the time period chosen.