How can we improve ProtonMail?

Implement Hydro 2FA

I'd like to recommend integrating Hydro Raindrop, a blockchain based 2FA which provides security against hacking.

This is a safe and quick-to-implement security feature for users of ProtonMail. Here’s a demo of how our product would look from a user perspective:

https://www.youtube.com/watch?v=Rop3Gn8CUew

Hydro Authenticator (Hydro: Security & Identity)

- 100% Free (integration and use)

- Available on iOS & Android

-Implementation only takes 1 hour

-Seamless portal for blockchain-based identity management and document signing for your users can be integrated in future versions; one-stop shop for your users’ financial lives, powered by blockchain technology.

Check out the Hydrogen site for more information https://www.hydrogenplatform.com/

818 votes
Vote
Sign in
(thinking…)
Password icon
Signed in as (Sign out)
You have left! (?) (thinking…)
Milvus shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

48 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Milvus commented  ·   ·  Flag as inappropriate

    Thanks for the intelligent and well thought out feedback 'blockchains are useless'.

    TOTP may be industry standard, however, industry standard is not always good enough. One of the UKs largest telecommunications companies (EE) claims to have industry standard, whilst using username and password with no MFA.

    TOTP is better than no 2FA and better than email/SMS 2FA, however it has significant problems. There is a reason why google dropped it from their own systems and moved their employees over to the Titan key (U2F) system.

    When using TOTP, in order to generate a 2FA access code there needs to be a shared secret on both the device and the servers of the system you are trying to access. In order to generate this access code the shared secret cannot be hashed, instead it has to be in plain text.

    This means that if someone accesses the database for whatever website you are using they will have the shared secret for whatever account they want. Goodbye 2FA.

    Both the Hydro authentication protocol, and U2F keys like Titan and Yubikey, use public key cryptography to verify your identity. This means that the secret, or private key, is stored on the device and the public key is stored on the server. This means that even if a hacker gains access to the database than they only have access to a public key, and that is useless by itself.

    Of course its never a case of one type of 2FA or another. Websites can offer more than one option.

    It should also be noted that the Hydro protocols are open source, so ProtonMail or any other provider, could build the MFA directly into their app for free, negating the need for any third party apps, including the above app from Hydrogen.

  • Milvus commented  ·   ·  Flag as inappropriate

    Hello Lucian,

    I think you misunderstand how Hydro works. The creation of a HydroID is the only time that anything relating to authentication is written to the blockchain. From that point it is only a read of the chain. This verifies that the correct user signed a message whenever the user is trying to authenticate themselves. Your authentication attempts do not get stored on chain - that would be slow and expensive.

    Also the project is already decentralized and is becoming more so by the day. I am not sure why you think it is centralised.

    We would love to hear from you about 'unaddressed security issues' or any other concerns you may have over at the Hydro Community GitHub - https://github.com/HydroCommunity/Community-Brainstorming/issues, or you can chat to the developers directly on Discord (discord.gg/gxAUagw) and Telegram (https://t.me/projecthydro)

  • Lucian Boca commented  ·   ·  Flag as inappropriate

    I work in the blockchain space and had to warn everyone here that Hydro's solution(s) have fundamental architectural flaws (e.g. storing all authentication attempts on a blockchain), unaddressed security and centralization issues and would likely introduce friction via a custom token. This is shameless, unsubstantiated marketing hype.

  • Milvus commented  ·   ·  Flag as inappropriate

    @4rsy3dw74e security does not have to be one thing or the other. There is nothing stopping ProtonMail from implementing both systems.

    Not everyone has $45 to spend on another device that can be easily lost or stolen.

    I also wonder if you have actually looked at the Hydro system?

  • Anonymous commented  ·   ·  Flag as inappropriate

    I believe Hydro will be a great feature on ProtonMail for safety and because it is 100% free to implement. Hydro seems to be a better alternative to Google Authenticator, Authy or SMS.

  • Anonymous commented  ·   ·  Flag as inappropriate

    go with hydro we already implemented on it. As well those big partners Example TD bank??? Ohh come oh...

    This is the future so we need Hydro! :)

  • Milvus commented  ·   ·  Flag as inappropriate

    Hello Anonymous,

    Thanks for the comments.

    To answer your points, the codes are not sent through the blockchain, this would be slow and expensive. Instead, the user creates a user ID (HydroID) which is recorded on theblockchain when setting up the app (a process that requires no email or other information). From then on site logons only check that they are the owner of that ID by reading off the blockchain, which is a fast and free process.

    This process is 100% free to implement, use, download & deploy. At no point would the user or ProtonMail be required to purchase Hydro.

    With regards to the Google system, there is a reason that the authenticator was dropped by Google themselves. This short video should shows the differences.

    https://www.youtube.com/watch?v=d88jbPdxI88

    With regards to your final point I can understand your wariness. I would like to point out that Hydrogen have never sold any tokens, however there where were a certain number given to developers for free to develop on the ecosystem. Please do read up on the project, you may be surprised what you find.

  • Stephen Ward commented  ·   ·  Flag as inappropriate

    Implementation of the Hydro 2fa app gives users much needed improved security! It's free so would be stupid not to

  • Anonymous commented  ·   ·  Flag as inappropriate

    This is straight up retarded. It makes no sense. Why is it sending the codes through a blockchain? How does this benefit anyone? Why not just send it directly to the website like google authenticator does? Its faster and more anonymous.

    I believe you have purchased a shitcoin sir. Stop shilling your utter garbage all over the internet.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Hydrogen platform is making really good progress with raindrop implementation👍

← Previous 1 3

Feedback and Knowledge Base