Add FIDO2/U2F support to Mobile apps (and allow disabling app based 2FA)
Proton webmail finally supports FIDO2/U2F hardware security keys.
Please add this support to the mobile apps as well. Yubikey has inexpensive NFC-enabled hardware security keys. NFC or not, Proton's app should also support this as an option.
Currently you can only log into mobile with an app-based TOTP code or a recovery code, and you can only unlock a logged in session with a PIN or biometrics.
It should be possible to make the only option a hardware security key for all Proton apps.
All Proton mobile apps now support FIDO2 for 2FA: https://proton.me/support/2fa-security-key
We'll be adding the option to disable authenticator app very soon.
-
Daniel L. commented
Definitely need this on the desktop app at least! I would prefer to use my hardware security key as a passkey for all Proton apps and go passwordless as they are inherently multi-facor!
-
Anon commented
Appreciated.
My first attempts with this feature in the first week resulted in many new pass entities, but no successful logins.
I'll try again and communicate EV. issurs appropriately.Many thanks for this excellent feature, we have 3 sets of two keys waiting for this.
Well done!
I'll try again -
Nathan Beach commented
Proton apps on Android currently don't support hardware security keys as a second factor of authentication despite the Proton web applications offering this support. Please add universal support across all Proton login surfaces for hardware security keys.
-
Anonymous commented
I've been waiting for this for a long time.
Tutanota not only has support for Webauthn on the app (though it has its own problems), it also has a biometric lock for accessing the app. Even SimpleLogin has this. Currently if someone were to access my device, they'd have full access. Logging out each time is not convenient, I have to stay logged in. Please add this!
-
Myomer commented
Protonvpn.com (even in a desktop browser) also does not support FIDO2/U2F and you have to use the TOTP app code. If they can add support for that site as well then we could ditch the TOTP app entirely.
-
Myomer commented
The reason you need to have an app as well is because they don't have FIDO2 support for protonvpn.com yet. They also don't have FIDO2 support for their mobile apps. Until these are supported by FIDO2 you'd be locked out of them without the app.
-
commented
They should also work on using the current gen standards for FIDO2/WebAuthn, where it prompts for a PIN upon activation of the hardware key. As someone who has keys for both work and personal, the PIN feature has kept me from using the wrong key without failing the acutal Authentication challenge on more than one occasion.
BTW a workaround i did to re institiute this keyfob requirment on platfroms that still only support TOTP is to just store the TOTP secrets on my yubikeys using the Yubico Authenticator App. Extra Few Seconds to Copy/Paste the code, and extra app to have to download, but storing the secret physicly on the keyfob maks this method of TOTP almost as secure as U2F imho.
-
Playback2265 commented
I suppose it's for preventing user to lock out themselves since most of them only have one key. But it's still a bad configuration, it must be mandatory to use two methods for second factor.
If you have two key, then you configure them both and have a way to connect if you lose one. This should be enough and allow you to remove OTP completely.
-
Psi Rho commented
2FA / MFA should be the accepted standard for improved security by now?! Even Amazon supports OTP by Yubikey with YubiAuthenticator. Any Phone based OTP or 2FA App is inherently unpleasant. So why not support hardware tokens or OTP without the App? I don't quite see the point of being forced to use the App to activate 2FA. Unless this has marketing reasons - but come on we're talking security here - that's why we love ProtonMail. Pretty please with sugar on top: Give us OTP and Yubikey support without the App. Thank You kindly.
-
Brian commented
Would like to see this also, it should not take an Authenticator to log in to iOS, TOTP is pretty weak security.
Not needed for the app lock feature IMO as that is only to prevent snooping by someone you pass an unlocked device to. But for authentication U2F everywhere is a must.
-
Florian M. commented
This is extremely important, as TOTP is significantly less secure than security keys. Since authn is only as strong as the weakest authn method, we need TOTP to go away as soon as possible.
-
Hone Lele commented
Just like the web app, it would be good to have FIDO Security key support for the iOS app, in addition to FaceID.
-
spencer commented
Need more hardware token support. I don't want to have to use the bad you ikey authenticator "app"
-
Giancani commented
Yubikey has various NFC keys that can be integrated with mobile apps on iOS (and probably android, too) for 2FA without the hassle of launching a separate app, copy and enter an OTP.
Open app, user/password, swipe yubico key, done.
That would be a very useful addition