Allow 2F Security Keys for Password Reset and Account Recovery
One of the more secure options for account recovery or password resets would be to utilize security keys. Security keys can inherently contain 2-3 factors of verification in one. You have to physically have the key (1F), you have to then touch the key to confirm human contact (2F), and you can require that a password for the key be entered (3F). Users can set up more than one key to use, so there is inherently a fail safe to the back up option. This option seems like a no brainer option that should be offered to users for the recovery of data or passwords and would vastly improve security options over current options that are regularly hacked (another e-mail or phone number). Please make security keys an option for these recovery methods.
MH
shared this idea
-
Eric K
commented
I would greatly prefer the ability to use a security key, as I cannot use either of the "primary" methods to recover my account - I do not have a non-Proton secondary E-mail address, and refuse to use a cell phone for SMS 2FA codes. Note that SMS is proving to be extremely hackable - as evidenced by recent scams impersonating various tolling authorities in the U.S. - and is no longer, in my opinion, a "secure" method of communication for ANYTHING.
Although I would prefer to get a voice call for an account recovery code - and I use this with many of the sites I login to that require MFA - I would accept recovery via a security key such as a YubiKey as a viable alternative - because I can also use a YubiKey with KeePass2. (I was using KeePass2 long before I signed up for a plan with Proton and will not move my login credentials online.)