Add security questions
You can add security questions on resetting password - after clicking link sent to recovery email, before you can enter new password, you should answer two (or three) security questions.
This will be additional security for resetting password.

At this point, security questions have been shown to not be an effective way to validate a users identity. At this time the recovery email address is our sole means of identifying users ownership of an account.
-
Pasha Salnikov commented
As someone who’s dealt with everything from basic account security to enterprise-level threats, I’ve seen how even small steps—like adding security questions to password recovery—can make a difference in preventing unauthorized access. But for businesses, especially in today’s landscape, those small steps aren’t enough on their own. That’s where SOCaaS https://www.clearnetwork.com/soc-as-a-service/ (Security Operations Center as a Service) comes in. It’s a cloud-based, fully managed solution where a third-party team handles real-time monitoring and response, built on a scalable SaaS model. It gives businesses access to expert-level security operations without the massive investment in infrastructure. From security questions to advanced SOC services, it all adds up to layered, smart protection.
-
Eric K commented
Hey Proton Admin -
Consider that I don't have a second E-mail and will not set one up merely for the purpose of recovering my Proton E-mail.
In addition, the phone number I use for account recoveries is not capable of accepting text messages - IT IS A LAND-LINE PHONE - and I have no intention of getting a cell phone just for the purpose of recovering a Proton account.
Security questions would be MUCH BETTER than having no - or only one - way of recovering an account. This is a case where I think a "bad" option is better than having NO option. And while you consider this a bad option, I personally think I can come up with three security questions where only I know the answer - because I don't post my life on (anti)social media for everyone to see, only a handful of people might actually remember something silly like the not-nice nickname I had in grammar school.
If my computer is compromised and the Proton-generated security phrase gets corrupted - even though it's stored in KeePassXC, nothing is guaranteed - it's all about me remembering my password.
Seriously reconsider your account recovery options! That is one of my biggest beefs with Proton as a paying customer!
Eric K
-
Dis Teay commented
Is a bad idea
-
bE commented
I despise and don't trust security Qs.
If they must be added, let the user create the both the Q and A.
-
Scott Scoville commented
I generate my own highly-secure passwords. Anyone who is too lazy to do this should accept the consequences and have the low security they bought. Security Questions - bah! Make sure you don't make them mandatory. In coming to proton, I wanted to get away from the encumbering motherhood and nonsense prevalent at google and microsoft. If it creeps in here, I am gone.
-
Anonymous commented
But NOT email OR question, but EMAIL AND QUESTION (you have to pass two verifications to gain access).
-
Seth commented
I think the current setup is safer (without an email recovery option). Users need to remember their passwords and or encrypt backups in safe locations
-
David Burry commented
Depending on how implemented, this can, in fact, seriously lower security... see:
https://www.troyhunt.com/adobe-credentials-and-serious/ -
Tester commented
Greg, yes but currently access to the recovery email = access to protonmail account and I suggest to add security questions AFTER entering code sent to security email.
-
Greg commented
"Security questions" weaken the overall security of the account as any research into successful attacks will reveal. Protonmail, please do not mandate the use of these. They really are bad practice.
Frankly, people should be using a password manager and backing up said password manager. If you cannot take responsibility for this, you're probably better off using a more generic email address like gmail or hotmail, which use poor security practices (i.e., being able to "reset" forgotten passwords).