What does it mean that "this idea is started" since 11 months? Is it being considered? If so, by whom? And what is being considered? What even is there to be considered?

Either the devs don't realize that the current state doesn't make any sense and poses a huge security risk for all its users, or they simply don't care or want it that way. And I don't know which is worse, but either way it makes it very clear to not trust Proton with anything important.

Whats also weird to me is that this could be fixed within minutes, it's not even a "feature request" , just stop actively enforcing this huge, idiotic, and 100% unnecessary security risk, like wtf is wrong with you?

Please implement FIDO functionality without Play services.

Proton VPN login doesn't even support FIDO2 so there's a lot to work on

At this point I can lock my utilities account behind forced u2f, and yet proton, an email service (highly targeted for attacks for subsequent password reset / email 2 step login attacks), privacy and security focused, forces me to use TOTP and doesn't even support FIDO2

I need to change my TOTP key, and was shocked to find that the only way to do this for a Proton account is to completely disable 2FA. I'm not going to do that in any case, but if that also involves having to re-register every security key, that's terrible design.

I am currently migration my TOTP codes from Authy to the newly released Proton Authenticator. Guess what ? ProtonMail is so the most painful to migrate as it requires to remove my hardware keys before I can deactivate TOTP and recreate it with Proton Auth. There is something to fix here!

Would be happy to see this change. I think the biggest reason people buy hardware authenticator tokens in the first place is to AVOID having to use TOTP on their networked smartphones.

Have you physical security key then ok allow

Checklist&action>failed.now

I would like the same Security key option not available on brave browser config on iOS why???

yep im wondering why they decided like this.

Really happy that they're starting this! Awsome!

Should also support passkeys with yubikey/password manager

Yeah, I found this super weird... Almost to the same level as some sites forcing you to have text messaging 2FA as a default with no option to remove it.

I've been trying to move to security keys and away from OTP-based 2FA, so I'd really appreciate if I didn't need OTP-based 2FA for arguably my most important platform.

I think most of us purchased a physical security key such as the YubiKey to use FIDO2. To only support U2F and require mobile OTP back up defeats the purpose of having the key.

I appeal to Proton to implement FIDO functionality without Play services.

Agreed, I would love to have a security key only option. Perhaps the end user can be forced to set up a minimum of 2 physical security keys to ensure they have a backup plan. Not a fan of TOTP being forced as it defeats the security purposes of allowing security keys by forcing a virtual option.

No point in having security key if OTP is going to be the weakest link. In order to mitigate users locking themselves out, you can set a minimum number of yubikeys and many warnings.