Don't require two factor auth on trusted browser
Once I've entered a 2FA code in a browser, it would be good to have an option to trust the browser and not require the code next time.
The Android app already seems to do this - it only required a 2FA code the first time I signed in, but the browser requires it every time.
This has been resolved and Protonmail remembers my browser for some time now. Thanks a lot Protonmail team!
Leszek Karlik commented
Always requiring 2FA and at the same time not having support for U2F means that 2FA is pretty useless for me, U2F security key is my main method of authentication and for old sites which offer only TOTP based security I have an old not Internet connected smartphone running authenticator app, but since ProtonMail requires 2FA every single damn time I simply don't use it.
I agree with most comments below. The duration could be set by the user to keep things secure, or turned off. On Evernote and Squarespace, the duration is 30 days which would work for me. 7 and 14 days are common on other services. This would be MASSIVE for those on Chromebooks which have no way to use the Bridge application.
It would be best if both password and 2FA are bypassed, and a pin has to be given instead. This can be implemented the same way as in the Android app (do a complete login after a number of failed pin's). Even my online banking believes this is a safe solution, so please give us something like this in the email app too. It's my biggest frustration with protonmail.
This is such an obvious necessity that I'm quite surprised it isn't implemented yet (July 2020). I keep using Gmail for many things because I don't have to enter the auth code all the time.
Ron Houk commented
I think users need to have a range to select from on the convenience <-> security continuum. Allowing the user the ability to flag certain browsers/computers as trusted should be an option. You cannot save us from ourselves. :)
I'd like this too.. it's a bit annoying needing to enter the 2FA code every time I login.
Perhaps this could be optional so that users who want/need the extra security of always needing the 2FA code can keep it.