What K said. I regularly have drive-by attacks on my old website using usernames which haven't been in use for years, yet are still in a database somewhere. Knowing that they're bots, I like to send them to funny places, but the point stands. Hugely increased attack surface for no reason.

How on earth has this not been fixed yet? My subscription is up in September.

Having been on the receiving end of three life-altering cyberattacks since 2002, I am extremely disappointed that a company which prides itself on security and privacy above all else, fails to mention when offering to set up aliases that they can ALL then be used to log in, using the same password (and this is also true if you connect your own domain to it), vastly increasing the available attack surface. I simply can't believe this hasn't been fixed yet.

As I say, I'm looking into options for other providers, in case this still hasn't been resolved by September, which I expect it won't be. I am reluctant to pay for another two years with such a glaring vulnerability like that in situ.

Which is a pity, because I really like the system and their ethos in general.

I have a website which I shut down two years ago due to a massive cyberattack which went on for three days.

Every now and again, while I figure out what to do with it (it was a creative thing), I log on, and there are STILL people regularly trying drive-by attacks on all the previous usernames which the version of WordPress I was using back then allowed them to enumerate easily.

I automatically divert them to people like the NSA and GCHQ on the off-chance that it catches out some eejits, but the fact remains that even 3-4 years after I effectively closed that account, people are still attempting on a very regular basis to log into my site based on accounts which have been released into the wild.

It's fully protected, but my point is that they still try, and there is absolutely no reason to increase your attack surface tenfold for no benefit.

I noticed earlier that my subscription for Mail Plus is up in September. With a heavy heart, I will be reluctant to continue if this still hasn't been sorted by then. I still can't believe we're still complaining about this.

Does anybody actually read these pages at all?

I have been using Proton Mail for about 6 months now. I do not share the email address for the account with anyone. I don't send or receive email to that address. I don't want anyone to know that email address because someone can try to access my account with it.

Now I have learned that the 5 aliases that I created to compartmentalize and protect myself form login attempts has been null and void. Any alias can login to the same account. I am mystified as to why an alias could be used to login to the account. Using the Plus feature does nothing except to perhaps track the original leak for later spam. The main account address is still exposed.

So, I now have 6 sets of keys to a door which I thought there was only one and it was hidden in my pocket. I can create true aliases at iCloud, Outlook, Gmail and Mailbox which cannot be used to login to the account.

Why are Proton aliases just extra sets of keys? What is the point? Why don't we have true alias email addresses? I was liking Proton a lot until I discovered that all I've done is place flashing red signs across the internet for gaining access to my account.

I'd received an email to say that this vital request (and other similar requests) was Under Review but I can't tell whether this is the case or not. Could Proton report on this issue in one of its upcoming road maps? It's honestly such a critical matter and one of the few areas where I think Proton has really fallen short.

I only realised that any alias can be used to login to any part of the Proton suite when I started using it more. I've kept my initial proton address completely safe, but to what end, I'm not sure now.
Even with 2 step authentication this seems odd.

It's kind of silly this still hasn't been addressed by a potential Google/Outlook alternative. Serious users don't want to have to use a silly SimpleLogin alias for their business emails. I want to be jsmith @ proton.me or johnsmith @ proton.me in my correspondence with clients, not jsmith.420bananastand @ aleeas.com

For those who support this, you can also support a similar request here : https://protonmail.uservoice.com/forums/935538-accounts-payments/suggestions/31027744-only-allow-login-with-single-main-address-username

This missing feature should be at the top of their to-do list. I've structured my aliases to be used long term for specific accounts and its very worrying that I'm actually exposing myself to significantly more potential threats to the same account because my all of aliases can be used to sign in. For example, the aliases used for my social media logins vs. the logins for my bank have very different potential threat audiences and back when i was using Gmail there was the relief that if one account was in a breach, I wouldn't have to worry about my other accounts being compromised.

I know simple login and proton pass aliases exist but they aren't as reliable and I can't send emails on behalf of those accounts. I just want my aliases for my main proton account to be toggleable as far as sign in capabilities. Otherwise it feels just as vulnerable as giving out my account's main address for every website I use. We need this ASAP.

+1

I can't believe this feature is still not available...this is like the most simple and basic way to protect an account, even Microsoft have it, for free on top of that.

I finally bought a plan recently because I need some other features, but this one was the main reason why I delayed for so long to take one.

And like some people said 2FA and proton pass aliases are not the solution, just complementary ways to secure our account. For instance, my account on Outlook was spammed DAILY with connection attempt from all over the world until I created a brand new email on my account defined as the only login and that I never share anywhere... No more connection attempt on my account, which bring me more peace and no more notification failure attempt at all.

Because of that I must select carefully when I use my proton email (which is a nonsense for a provider that is supposed to be my main). And guess what ? Even like that one of my proton email has been detected in a breach and I have no way to cover it.

I didn't even dare to think this would be an issue in Proton when I did the switch from Outlook. Now I'm missing my Outlook, because of a security / privacy feature. Extremely ironic.

I have a website which I shut down two years ago due to a massive cyberattack which went on for three days. Every now and again, while I figure out what to do with it (it was a creative thing), I log on, and there are STILL people regularly trying drive-by attacks on all the previous usernames which the version of WordPress I was using back then allowed them to enumerate easily. I automatically divert them to people like the NSA and GCHQ on the off-chance that it catches out some eejits, but the fact remains that even 3-4 years after I effectively closed that account, people are still attempting on a very regular basis to log into my site based on accounts which have been released into the wild. It's fully protected, but my point is that they still try, and there is absolutely no reason to increase your attack surface tenfold for no benefit.

I've just been for a walk and had a think about this, and I actually had to take a day off work today due to the stress of a possible system intrusion over the weekend.

The way I see it, there needs to be, at an absolute minimum a CLEAR WARNING before creating them that these will be effectively used as additional log-ins, using the same password. That way, if that's what the user wants, then fair enough. I think it's clear from the fact that there are 4 separate threads about this precise matter with over a thousand upvotes on them then it's clearly a significant community issue, and if it hasn't been fixed by the time my subscription ends, then I'll have to find somewhere else, especially with the inability to delete said emails. I think that's such a glaring omission for a company which markets itself on world-leading security and privacy, that I simply can't beleive it's been left standing for a decade. I can't subject myself to the likes of LastPass or anything similar yet again. It will break me. That's what I have to say about that. Which is a pity because you saved me from the **** of what gmail put me through.

I also notice that you can only delete one email address a year.

I've just gone in and ticked the "disable" button next to all but two of them and received this message. If, despite rendering it unusable, it can STILL be used to log in, then that's even more preposterous than I thought.

"By disabling this address you will no longer be able to send or receive emails using this address and all the linked Proton products will be disabled.

Are you sure you want to disable this address?

100% agreement with Abhiman. I also use Posteo, which is a German Mail Company with Focus on privacy and Security and they also have this Feature. It’s actually the main reason why i didnt switch to Proton completely.

I believe the best is to be able to choose which method/methods you prefer username or choose which email addresses. Also, to able to 1) to change the username 2) remove added email addresses from ProtonMail web page (not only disable them. Now you must send email to Proton in order to delete not needed disabled email addresses).

I just posted about this issue on the Proton subreddit and got hundreds of comments. Here's what I found:

The majority of responses fell into two camps:

1. "Just use strong password + 2FA" - Many people said this isn't a real security issue because proper authentication layers are what matter. While I understand this technically, it still doesn't address the fundamental problem of expanding the attack surface unnecessarily.

2. "Use SimpleLogin/Pass aliases instead" - This was the most upvoted workaround (70+ upvotes), but it doesn't solve the problem for those of us who need actual email addresses for business communication. I need to send and receive emails professionally from my custom domain, not work around with aliases that require extra steps for every outreach.

The concerning part: Someone claiming to work at Proton messaged me directly saying "people like you made our work difficult because you will always find a way to complain about something" and criticized my post history. When I asked Proton directly if this person is actually on their team, I haven't gotten a response yet.

The validating part: Multiple users confirmed they face the exact same concern. Several mentioned that Outlook, Google Workspace, and Hostinger all offer this feature. One user who works in software development suggested Proton might be avoiding this because it's a foundational codebase issue that would require significant effort to fix.

My use case: I use one email address publicly for business - it's on my website, social media, business cards, everywhere. That same email can login to my Proton account. If my credentials ever leak (phishing, my mistake, whatever), attackers already have half of what they need because my login email is plastered all over the internet.

This isn't about replacing 2FA or strong passwords. It's about having basic security controls that are standard everywhere else. Proton, please at least acknowledge this request after years of community feedback.

It would indeed completely make sense from a security standpoint to be able to restrict e-mail addresses that can be used to log in with in Proton to just one (which you then don't share with anyone and you just use other e-mail addresses for all e-mail communication instead).

Considering the account security nature of this feature request, I've marked this feature request as critical for me.

Yes please! There's a similar thread under the account section too that has gone unanswered by Proton since 2017. If any Proton employee reads this post, can you please ask a supervisor to look into it and at least respond whether or not there's some technical limitation preventing Proton from implementing this despite Outlook being able to?