Security Enhancement Proposal: Periodic Hardware Key Checks
Dear ProtonMail,
I am writing to you with a suggestion for a future improvement to ProtonMail's services.
As a cybersecurity researcher, I frequently encounter various daily security issues.
Moreover, regular reports in the news and discussions with colleagues highlight the prevalence of these breaches, with session cookie theft being a common cause.
Therefore, I would like to humbly propose the following enhancement:
It would be highly beneficial if, in addition to the existing security options, ProtonMail could implement a feature that requires users to confirm periodically their identity using a hardware key, such as a YubiKey, at user-defined intervals.
This measure would ensure that even if a session cookie is stolen, it would be rendered useless to the attacker, as the hardware key confirmation would be necessary to maintain the logged-in session.
This periodic verification would significantly enhance security, as only the legitimate user would possess the hardware key, preventing any impersonation attempts. I understand that not all users have hardware keys and that not everyone is experienced in the field of information technology. However, for those seeking an extra layer of security, this feature would be a valuable addition.
I look forward to seeing such an implementation in the near future, which would alleviate concerns over session cookie vulnerabilities and potential replay attacks.
Thank you for your time!
Best regards,
George A.
