As more organizations move towards embracing physical security keys (e.g. Yubikey) for authentication security, please consider introducing policy controls at the organization administrator level to:

(1) Enforce 2FA by security key for all users (specifically require security key 2FA to login, not just TOTP or other forms of 2FA in general).

It is noted that a related request of "Allow security key 2FA without setting up OTP 2FA" is already in place here (https://protonmail.uservoice.com/forums/935538-accounts-payments/suggestions/48368117-allow-security-key-2fa-without-setting-up-otp-2fa).

(2) Restrict user-account 2FA enrollment/deactivation/modification to organization admins only.

Please allow the organization to determine whether users can make such privileged changes themselves, or whether all of this should be handled through an admin.

As Proton does not seem to support FIDO2.1 enterprise attestation for security keys, and as we require security keys for login, we are handling all enrollment and modification of user-account security keys via org admin. However, there is nothing stopping users from removing their admin-registered security key to fall back to TOTP 2FA, or adding non-company-issued or otherwise non-compliant security keys (e.g. adding their own personal phone as a platform key). Limiting user-account 2FA setting changes to org admins can address this issue.

(3) If neither of the above are feasible, please add support for open-standards SSO integration, such that the enterprise's own IAM policies can be enforced with Proton's services.