YubiKey? Ever? No? Hello?
The dedicated Protonmail community deserves a real response from the crack team of Protonmail scientists and engineers. When are you implementing Yubikey or are is your tag line just bs?
"We are scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online. This is why we created ProtonMail, an easy to use secure email service with built-in end-to-end encryption and state of the art security features. Our goal is to build an internet that respects privacy and is secure against cyberattacks.
We are committed to developing and widely distributing the tools necessary to protect your data online. Our team combines deep mathematical and technical knowledge from the world's top research institutions with expertise in building easy to use user interfaces. Together, we are building the encrypted communication technologies of the future."
Please implement this feature, it's a must nowadays for enhanced security which is basically the same goal of the Protonmail service.
Like others, I feel the rude and aggressive tone is unnecessary and unhelpful, however much I agree with the need for U2F support to be taken seriously by ProtonMail.
It's a shame that new features such as ProtonDrive and ProtonCalendar are prioritized higher than account security.
TOTP is better than nothing, however, and at least they're not using SMS 2FA.
To eliminate the risk of losing one's phone, and with that all TOTP codes, a good compromise can be reached by utilizing the OATH-TOTP module offered by the more expensive YubiKeys (the NEO, 4 and 5 models. The blue U2F only ones, sold as Security Keys, do _not_ offer this functionality).
They can be programmed with up to 28 TOTP credentials for the NEO, and up to 32 for the 4 and 5 series.
Once programmed, the credentials can be read by the Yubico Authenticator app (available for both desktop and mobiles), which will display the codes within the app just like any other TOTP app.
Should you lose your phone, your TOTP credentials are not at risk since they are stored on the YubiKey itself instead of in the app.
This does not obviate the need for U2F/WebAuthn support in ProtonMail, but it offers a great solution for the TOTP problem when one's phone is lost or stolen, by leveraging one of the YubiKey's lesser known features.
TIP: programme a second key with the same credentials so that you have a backup in case you misplace or lose the main YubiKey.
I hope this is of help to some people.
I have read most of these comments and all the ones stating they are going to stop paying for the Protonmail service. I would like to ask what mail service you are going to utilize that supports U2F and that is not Google? From a quick search I only found Google, Fastmail, and AOL support U2F that are email services. Seems to me Protonmail with OTP MFA is a better option.
FIDO U2F is the way to go. It is just too much overhead to sign in using the additional OTP app for an account that is used that much. I was really surprised to see protonmail does not offer this. Makes my ProtonMail account feel less secure than some other accounts which do not advertise security and privacy as much as ProtonMail but offer U2F!
An official response would be greatly appreciated.
I am also surprised by this. I am still waiting on this feature before I start paying for their services. The superiority of secure logins with U2F keys is clear. Say your phone with the OTP app gets stolen.. a nightmare. With U2F keys, you can just have backups at home.
ProtonMail team... what are you doing? Please focus on the important things.
Protonmail supports setting up 2fa. Just set it up with your yubikey like I have.
https://protonmail.uservoice.com/forums/284483-protonmail/suggestions/43399935-proton-video-calling If you like this, You will probably like this too!
I would upgrade if you had this option - you are losing money and support.
disappointed user commented
The dismal response from ProtonMail in relation to the highly demanded U2F/FIDO2 support means I wont be financially supporting them with a renewed membership at my next renewal.
I suggest all other users vote with their wallets also, as ProtonMail wont change their stance on this as long as you're all still paying for this lacklustre service.
Lack of U2F support is a JOKE, how a service advertising as "secure" can still lay that it will be implemented for such a long time? I understand that domain unification is necessary for that, but for me it is last paid subscription in protonmail. For me it seems like money making features like drive or calendar are way more important for pm management, but making a "donkeys" out of the users&community is unacceptable
I have a response from ProtonMail and they said they are not working on it. I don't think we should expect it in the coming years.
When I asked them directly "are you currently working on implementing it?", that's what I got:
"Unfortunately, we are not actively working on developing this feature, as our current main focus is toward the ProtonDrive and ProtonCalendar apps."
It would be great to have.
Though, there is no need to be sarcastic, polemic, and rude. If I consider a feature as needed for my requirements, before buying service I can check if not reported in the product details.
Therefore I vote for the idea, not for the useless polemic message.
U2F/FIDO support is the one thing that keeps me from using proton as my primary email
There's no need to be rude.
Edmund Laugasson commented
Would propose to change the subject title to "U2F/FIDO2 support". Would be more appropriate, especially crucial when we would like to stick with free and open-source software, standards, etc. There is certainly FIDO Alliance at https://fidoalliance.org/ where these new standards are available. Nowadays FIDO2 https://fidoalliance.org/fido2/ , https://en.wikipedia.org/wiki/FIDO2_Project is used. In general, we are speaking about HSM (https://en.wikipedia.org/wiki/Hardware_security_module , https://www.cryptomathic.com/news-events/blog/understanding-hardware-security-modules-hsms) support with nowadays standards, currently FIDO2 and from former times also U2F (https://en.wikipedia.org/wiki/Universal_2nd_Factor). Today we have also CloudHSM (e.g. Amazon https://aws.amazon.com/cloudhsm/ , Google https://cloud.google.com/security-key-management , IBM https://cloud.ibm.com/catalog/infrastructure/hardware-security-module), but also software defined HSM, e.g. Krypton (U2F, https://krypt.co/ , https://alternativeto.net/software/krypton/).
Love ProtonMail. Even have the paid version. Hate not being able to use my YubiKey for 2FA with ProtonMail. C'mon guys! Get with it!
YubiKey is not as safe as open source alternatives like Solo, but yes, I want U2F/FIDO2 support.
This is essential. It's the only 2FA method that
1) doesn't require a mobile phone with a charged battery and a working mobile signal and/or internet connection
2) doesn't require drivers
3) doesn't require a special app
4) protects against man-in-the-middle attacks
5) is incredibly easy to take with you
6) you are likely to always have with you since you leave the house with your keys (right?)
7) is insanely quick and easy to use
8) doesn't pose any risks if you were to lose it since it's not tied to your person, identities, or accounts
9) is durable
10) works anywhere: USB-A, USB-C, Lightning, and NFC
11) you can have a backup of (most services, except Twitter, support registration of multiple U2F keys
Why this is still not supported is beyond me.
disappointed user commented
FIDO2 U2F is a running joke with ProtonMail, I doubt they will ever support it.