Allow using ONLY security keys as 2FA
I was very excited to see that security key support was added! Please now allow me to disable the authenticator app -- I only want my hardware keys as my second factor.
-
Aurelink commented
I can't agree more!
-
Ashley commented
"JD commented · March 13, 2024 9:56 PM ·
The requirement to have TOTP enabled is pointless and annoying for another reason I discovered today - if you want to switch TOTP apps and you can't extract the secret keys directly (most TOTP apps don't allow this) then you have to delete all your security keys just to get a new TOTP code.
Why? So annoying. "
With regard to TOTP keys.... Aegis & Proton Pass both allow you to see & extract the secret keys, in order to add them to a different authenticator if you so wish. What you are saying is true with regard to the Yubico authenticator (once key is saved, you can no longer see/extract).
-
Michal commented
Currently im using Proton Mail as a personal email service, but in my previous workplace we've been using Proton as a corporate email and since our organization was very security concious, this was a huge deal for us (every employee had a pair of Yubikeys, but we didnt want them to use TOTP)
-
commented
Agreed, take how Apple implements Security keys as an example of how this should work.
You need at least two to even turn on U2F, and then OTP and other methods like SMS are shut off when you do with the exception of password/account recovery.
Having plain old TOTP as a plain old signin MFA and not at most a recovery method where I’m notified of login attempts alongside security keys should not be a thing it nullifies the added security.
Google also does similar if you opt in to their “advanced protection program”.
The largest players in the industry seem to be in agreement, that this is how security keys should work; They should be your only MFA. -
neo commented
I would rather use my yubikey alone . please implement this, just require two keys.
-
JD commented
The requirement to have TOTP enabled is pointless and annoying for another reason I discovered today - if you want to switch TOTP apps and you can't extract the secret keys directly (most TOTP apps don't allow this) then you have to delete all your security keys just to get a new TOTP code.
Why? So annoying.
-
ktham-proton commented
Security keys still don't work on the Android App...
-
Sion commented
Surprised that I couldn't disable TOTP now that I have the security keys. Please fix
-
Contracontrarian commented
I agree with this proposal. It would be great to be able to remove the TOTP code and just rely on my security keys for login.
-
Christoph commented
I noticed that you can only use a security key as an alternative or additional 2FA methode. Could you make it possible to just use a security key.
-
JD commented
The current state of affairs is *very* questionable. Prioritize this.
-
Eros Comin commented
Having this option would make sense in case user own TWO security keys.
Furthermore, please implement FIDO2 password-less login. -
spooky731 commented
100% agree. Using a security key without being able to disable the auth app makes the account less secure, as you now have one more attack surface. Quite questionable decision for such a “security focused” company.
-
Pete Pete commented
I would like to switch off authenticator app and leave only my Security key.
Having app authenticator apps have no sense if you have security keys
Guessing that. there is some users they would like to have both but for me it;s more secure to disable the app auth -
xsdux8efh commented
Just added my two security keys and was surprised that i couldn't disable TOTP. Please fix it.
-
Richard O'Neill commented
Requiring TOTP to use a yubikey is a terrible security and privacy implementation. It needs fixing. If the issue is worry about account locking why not just require 2x security keys to disable TOTP?
-
Rahul Rana commented
if you really care about the security and privacy, you must allow to choose only a hardware key 2FA.
-
Stevie commented
I wish it could be possible to choose only to have a hardware key 2FA
-
[Deleted User] commented
I wish Proton would let me use physical keys to access all Proton IOS apps. If we are forced to use authentication codes, how can I stop using Bitwarden? I currently store all of my keys in Bitwarden and login to Bitwarden using my physical key. I can’t store my keys in Proton Pass and still login to Pass!!!
-
commented
Would be great to see them go beyond this and allow the use of webauthn or passkey as a passwordless authentication method