Forgotten password options vulnerability
I clicked the "forgot password" option on the sign in page to test. After entering my email, it immediately prompted for a 12 word phrase.
Immediately prompting for the phrase gives an attacker performing reconnaissance valuable information.
All 3 options should be selectable regardless of which have been configured. This allows security through obfuscation. As the screenshots in this link show https://proton.me/support/reset-password
This is for a situation where someone who knows my alternate email or phone number and tries to use them. If I haven't enabled them as options, it would be also good to then get a notification about the attempt. That way I know someone is trying to get in and can decide on next steps.
Thanks.