Expert mode for security/recovery
I love Proton and rely on it for email and password management. This makes my Proton account's security paramount, since this is the gateway to everything else now. That is why I have two security keys that protect access to this critically important account with unfishable 2FA. My password is kept offline, and is backed-up in various ways.
Proton, however, seems to work against my efforts sometimes. I'm obligated to also use an authenticator app to use my security keys. Without asking, I'm suddenly opted-in to having recovery files downloaded to my trusted devices. Allow password reset from settings is enabled for me, and can't be disabled without having a recovery method. This last thing is something I want to have enabled, personally, but I don't want Proton to choose that for me.
More seriously, when I enable a recovery phrase to make Proton happy, I've effectively reduced my account's security from 2FA to 1FA. The recovery phrase recovers both account and data, and bypasses 2FA as far as I know (it is not clear from the interface if this is the case). I kinda like the idea of a secondary backup password, but not one that bypasses 2FA.
Because of this, I prefer to disable all recovery settings. I don't want or need recovery; I've never ever lost a password in my life, especially such an important one. Proton, however, has decided for me that this is Irresponsible Behavior, and I shall be visually punished with the UX-equivalent of a wagging finger, an annoying exclamation mark telling me that I'm being stupid and need to enable one of the recovery options that, in my opinion, needlessly reduce my account's security.
What I would like to propose then, is an expert mode for account security, maybe as an extension or extra option of Proton Sentinel. I would like to be just as stubbornly obnoxiously stupid with regards to my chances of account recovery as I **** well please, thank you very much :p I would like to be able to just use my security keys, with my very long and complex single password, flirting with the edge of the online abyss, without Proton getting in my idiot way. That my account may be unrecoverable is a risk that I'm completely comfortable running, and I pretty promise that I won't come crying to Proton support if I get burned.
Kind regards, and keep up the good work!
-
Some_User46 commented
I just chatted with proton support and they told me the following: "You will need your recovery phrase if you forget your password or in an scenario where your account is locked due to suspicious activity." So you can't really use proton without a recovery method, because you might get locked out even if you don't forget the password. It is very concerning that this is the case and that they are not clearly communicating it.
-
Danno commented
Having an Expert Mode that accomplishes these things, as well as other things is absolutely a no-brainer IMO.
-
Em commented
Really annoying to have proton pushing security 'features' that could be attack vectors.
Especially the constant notification about it, you've notified me, so get rid of the dot already.
If I've forgotten my password I'm dead! I want my account to stay inaccessible. -
Jeremy Karst commented
While I do not use Proton for password management, I do use another trusted option which is protected from loss in several ways. I do not wish to use Proton's recovery features, and especially do not appreciate the potential security risk of having recovery files added to my device which can bypass 2FA. I would like to remove the nagging orange dot from Proton's web apps to "Activate Recovery", but this is not an option currently.