Forgotten password options vulnerability
I clicked the "forgot password" option on the sign in page to test. After entering my email, it immediately prompted for a 12 word phrase.
Immediately prompting for the phrase gives an attacker performing reconnaissance valuable information.
All 3 options should be selectable regardless of which have been configured. This allows security through obfuscation. As the screenshots in this link show https://proton.me/support/reset-password
This is for a situation where someone who knows my alternate email or phone number and tries to use them. If I haven't enabled them as options, it would be also good to then get a notification about the attempt. That way I know someone is trying to get in and can decide on next steps.
Thanks.
![](https://secure.gravatar.com/avatar/46be735b1117488a80a351c1d5b8b4d0?size=40&default=https%3A%2F%2Fassets.uvcdn.com%2Fpkg%2Fadmin%2Ficons%2Fuser_70-6bcf9e08938533adb9bac95c3e487cb2a6d4a32f890ca6fdc82e3072e0ea0368.png)