Only allow login with single/main address/username
Do not allow that you can log into the account with every address.
If my account name is john.smith then only allow login with john.smith or john.smith@protonmail.com. Not with finance.john.smith@protonmail.com or any other address.
Perfect would be if you would have the choice what address can be used in order to log into your account.
With the current way you have to give away your login username in order to send emails. Hiding the username from the public would be an advantage, since they would have to guess your username and the password. Not only one of them.
-
ProtonJ commented
Please Proton Team, this should be an easy security feature to add. I hate that any of my email addresses can be used to log into my entire proton account, I should have the ability to use an email that hasnt been exposed externally as my login, thus preventing any brute force attacks on a compromised address.
-
Evil Spider commented
I m shocked that I can login with aliases, this is really bad.. We really need an option to select the login username, especially as more services are linked now.. We use same account for passwords, vpn and mail
-
Essie commented
I was surprised I could login with all my aliases.
They're aliases, not accounts, so I really wish other people couldn't (try) to login with those emails.
I don't want to use randomized email aliases for everything, so that's why I use protonmail aliases for more important things, but dont want the ability to login with those emails... hope they can add an option to turn it off and only be able to login with the account email -
We need to share this as much as possible with the entire Proton Commujnity. This is a very very very important and critical issue.
-
Paul commented
This is critical. Allowing login with any of the alias emails is a serious security risk. I *never* use the primary email in order to protect the account from hacking but Proton undermines this by allowing login using other emails. Please fix this serious risk ASAP.
-
AP commented
I'm back here reaffirming the importance of this feature to me. This feature which I use with Microsoft Account has saved me from attempted hacking / account take over attempts. I can put my "Main" email address out there without that same identifier being the login address for my account.
With data breaches happening all the time and our email information getting put out there, having a way to secure that email account by using an alternative identifier for log in is critical in maintaining account security. Please implement this feature.
-
Rob commented
I literally just signed up for uservoice for the sole purpose of voting for this suggestion. As an Unlimited paid Proton user, I'm reluctant to use any of my other email addresses anywhere because like others have said, it increases the possibility of someone being able to hack into my account. After learning these emails can all be used to log in, I'm going to deactivate the vast majority of them (nullifying one of the big benefits to being a paid customer). Proton, please fix this... pretty please with a cherry on top!
-
Basile commented
You could simply append your username to your password (e.g. SecurePass-john.smith). This way the attacker also needs to guess your username and password.
-
[Deleted User] commented
At the moment when you create an alias there is no way to turn off that alias or main username as a login vector.
You should add the ability to turn off all forms of sign in Usernames/Emails but one. Of a user's choosing.
So, let a user keep his main username/email activated as a login vector and let the user turn off others that they do not want as a login.
Also if a user wants an alias to be his main login let them add it as a login and then let them have an option to turn off their main username as a login vector.
Similar to how Microsoft Outlook lets you choose to turn off any emails and phone numbers as a way to log in.
-
D commented
This feature is of highest importance. It is the only thing I was disappointed about when switching to Proton. Please, Proton, allow us to select which usernames/email addresses can be used to log in.
-
This is a critical issue. Without that, having multiple address is just multiplying the risks...
Please Proton team, make a rule or a setting to only allow login from the "default" address selected. -
Guy8888 commented
If this feature is implemented, I'll be inclined to buy a paid Proton subscription.
It's essential for me that I can have multiple email addresses that can't be used to find my Proton account. Obscurity is the best form of security.
-
Thomas Anderson commented
The things is: using e-mail by definition exposes your username to others. That same username is used to login.
Why would we expose this username externally at all?
A custom username (e.g. 20 or more random characters) being the only credential that can be used prevents this.
-
Thomas Anderson commented
Dear Proton,
First of all thank you for all the great work and efforts, I think you are a fantastic company. For real!
The situation is, many of us may have used our protonmail e-mail addresses in the past to register at external websites (shops etc.) way before Simplelogin was introduced.
Having multiple e-mail addresses that are able to login to the master Proton account increases the attack surface, if a hacker breaches a webshop and obtains our Proton e-mail addresses.
Could we please gain the option to login with a custom username only and disable all login with protonmail.com, proton.me and pm.me e-mail addresses? So the option = only authenticate with 1 custom username.
This way we can create a long secret username that is never shared externally, e.g. in your password manager, and it increases the security because any e-mail addresses that might have been obtained in the various recent breaches are not able to login to the Protonmail account (e.g. if they try to bruteforce it.)
The ideal scenario would be:
Login with password, secret username and 2FA = never shared externally. Only credential with authorization rights to login.
Protonmail / proton.me / pm.me = rarely shared externally. Can only send mail, use Proton functions.
Simplelogin domains = freely shared externally for e-mail purposes, create new alias when compromised and disable old one.
This is not paranoid. Take a look at the news recently. The current cybersecurity climate demands us all to step up our game and remain ahead. Please implement this.
Thanks for reading this far.
-
mih commented
Please implement this feature
-
Professor Tor Coolguy commented
This seems like a terrible oversight on the part of Proton. I really want to get a paid account, but just like that other encrypted email service that begins with a T, I can't get behind my secure, DeGoogled email and productivity suite being LESS SECURE than the snoopy one I'm trying to leave behind.
-
CC commented
Was looking to get a Proton Mail subscription and ditch Office 365 Personal. This thing right here is a deal breaker for me. It's such an amazing feature that I used a lot in Outlook. I never give out my login address so a hacker would have to guess my login address on top of my password/2fa.
Will stick with Office 365 until this is implemented, if ever. -
David Garcia commented
Personally, I don't see any problem with allowing logins through any of the addresses. Especially if you have enabled 2FA and Sentinel. I prefer to keep the service as is rather than drop an existing feature that might be used by many other users, even if you are not aware of it.
-
Ontkibbeling commented
I was in the process of switching to Proton mail completely, but then, as many others, learned that I can log in using any of my aliases. This is absurd, and makes me immediately roll back my switch to Proton mail.
This would simply make my setup LESS SECURE instead of more secure, handing out more chances of attempting to compromise my proton account! -
A commented
Having several email addresses registered, I would like it if one could select just one of the addresses/usernames to serve as the only log-in address/name. Currently, all addresses can be used to log in, while it is not possible to set one address as the unique sign-in name. Using only one sign-in name would increase security, as one could choose a name different from the email address that one usually uses.