From a security view - this kinda of removes the benefits of alias email addresses. Should have been implemented long ago - but the team have been busy so hopefully they can address this ASAP. It shouldn't be a difficult change to make. Thanks Proton - sticking with you as your ironing out issues as best possible

This is a critical must have feature. My User Story: I have a Microsoft account and my original email was exposed in multple data breaches. First thing I did with my Outlook email when I started getting all the spam and fishing emails was to create a new alias that I would only use to login to my account; I disabled login ability on all other email alaises. After that I was also able to make the new email alias my primary alias for the account while at the same time having a different default email alias for actually sending/recieving emails. This way my login email would never be used for email or as a login email for any other account. On top of that the Microsoft account system allowed me to delete my original email alias completly which then eliminated all the spam. Same thing happened to my parents and I helped with the same fix. In the past my story may have been at outlier case but today it is common for people to recive notifications from a service provider stating that their information has been leaked and that the email was part of that leak. If you match the MIcrosft Account capabilities that woould be ideal: disable/enable login on any email alias, make any email alias the primary alias, make any alias the default to send/recieve email indepent of primary alias, ability to delete any alias (even the original alias when account was created without impacting account overall status.)
Kind Regards,
Proton Duo Paying Customer

I've just come here to point out how absolutely ludicrous a security hole this is, especially as I've spent over 5 hours this weekend contacting nearly 200 people about yet another data breach, one of which has recent credentials in it.

If I had the slightest idea when I signed up that all the additional emails could also be used to log in using the same password, then there was no way I would have done it in the first place. And no I didn't know about aliases or SimpleLogin or whatever because I had just signed up and it was 4 years ago.

Yes, obviously you need a strong password and 2FA, but as many other people have pointed out, how is it possibly not LESS safe having 15x as many attack vectors.

As everyone else has said, you should be able to use your default to log in and not give it out to anybody, thus considerably increasing the effort required to break in. As someone who signed up here off the back of three genuinely life-altering cybersecurity incidents, I am astonished that this hole is still there. It really is as bad as WordPress being able to be brute forced out of the box. Though I am heartened that they seem to have finally fixed that.

Just started subscription and created few aliases - then discovered that I can login with them, defeating the purpose.

I guess I will go back to paid Outlook subscription.

I really need this feature. Otherwise, I can’t use my Proton account the way I had planned.

Completely agree with recent comments. Long overdue. This was why I did not renew my Proton subscription. Hopefully Proton will see sense and go back to fixing the basics before launching new features.

Indeed, and this should reflect the username too. If the alias email for login is pmuv17c@protonmail.com then the username login should also switch to pmuv17c. That way, users can have a specific unused email solely for login.

It is important to use a login that is not associated with an (main)email address. This is an additional step in preventing password guessing.

Glad this is finally under review. took long enough!

I'm so excited this is under review! This is the only missing Proton feature keeping me from fully switching over to Proton for everything and ditching Microsoft and Outlook! Proton, please make it happen!

I'm so excited this is under review! This is the only missing Proton feature keeping me from fully switching over to Proton for everything and ditching Microsoft and Outlook! Proton, please make it happen!

From a security perspective, it would be ideal to choose which alias can be used for log on and be able to exclude the primary address/username altogether.

I didn't realize ALL of my active addresses can be used for login until now. That's terrifying.

Login needs to be an ***unique ID***, not tied directly to an email/alias. Certainly not allowing any email/alias. Ideally, a separate login ID..

C'mon - even Microsoft allows this - I find it bizarre that 8 years after the request went in you still haven't implemented this. There's no reason to explain why it's important - just be better Proton - I just paid for a year of unlimited and can't believe I'm stuck with a system that allows any alias to log in. It's nuts.

Freakin' MICROSOFT allows this. You can disable any or all of the aliases from allowing login (well, except for one of course). C'mon Proton, you can do better here.

Wow guys, just took a paid plan. This is basic feature I'm surprised it's not implemented yet. I want to keep my login secret

This is possible on Outlook, why can't we get this option on ProtonMail?

Please allow the users choose which email address can be used to log in, so only the primary address and/or selected aliases work. As currently every alias can sign in is a major security risk because leaked or exposed aliases widen the attack surface. Most of us use aliases only for communication, we dont need that to be used for log in.

It would be really important to be able to choose which addresses can be used to log in.

Aliases should only be used to send and receive emails, not to become additional access points to my account. This way, I can use different aliases without the risk of someone exploiting them to try to gain access.

With the current system, I am forced to “reveal” my login username every time I send an email, because anyone can try to use it to authenticate themselves. If, on the other hand, I could keep my main address hidden, security would be increased: an attacker would have to guess both the correct username and password, not just one of the two.