Skip to content

How can we improve our accounts settings, payments or plans?

← Accounts & payments

Advanced Protection (phishing-resistant MFA)

Implement something similar to Google Advanced Protection or Apple iCloud (phishing-resistant MFA) - e.g. disable all non-phishing resistant (weak) factors when at least two of FIDO2/U2F keys or passkeys are added.

Russian and Belarusian APT groups have been conducting targeted phishing operations to compromise Proton accounts for years. Through sophisticated social engineering tactics, these threat actors trick victims into revealing SMS and TOTP codes enabling unauthorized access to their accounts or accounts takeover. Example:
https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/

For high-risk individuals such as journalists, activists, and politicians, an account takeover can have extreme consequences, including imprisonment or torture. Training and awareness do reduce risk, but they cannot realistically eliminate it for most users. To meaningfully lower exposure, we recommend technical controls that make remote, phishing-based account compromise substantially harder or (ideally) impossible.

Phishing-resistant 2FA became the de-facto standard years ago for high-profile users of Microsoft, Google and Apple services:
- https://learn.microsoft.com/en-us/entra/identity/authentication/phishing-resistant-authentication-videos
- https://landing.google.com/intl/en_in/advancedprotection/
- https://support.apple.com/en-gb/102637

So, please, implement an ability to enable Advanced protection for individual users and force Advanced Protection for Proton Business admins. The idea is to allow the user to blindly follow all the instructions on the phishing website, but still not be phished as using FIDO2/U2F keys or passkeys is safe on phishing websites.

10 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

RESIDENT.NGO shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Sonja - commented  ·   ·  Report

    This is extremely needed for high risks individuals! Thanks for the suggestion

  • Vasiliy Wood commented  ·   ·  Report

    We are obsessed with idea of phishing resistant multi-factor authentication.

  • Davit commented  ·   ·  Report

    I fully support this proposal. Speaking from my experience in Georgia, phishing is currently one of the most widespread — if not the most widespread — methods used to compromise the accounts of journalists, activists, and NGO workers.

    In our local context, these high-risk groups often face sophisticated, targeted attacks where traditional 2FA (SMS/TOTP) proves insufficient because users can be socially engineered into revealing them. Implementing a phishing-resistant 'Advanced Protection' mode in Proton would be a game-changer for the safety of the civil sector in Georgia. This will greatly reduce the likelihood of human error.

Accounts & payments: Accounts

Categories

Feedback and Knowledge Base

(thinking…)