Security concern regarding the shared session between Proton Pass and Proton Mail.
Hello,
I would like to report a behavior that I find inconsistent and potentially problematic from a security perspective.
I use the Proton Pass extension in Chrome. When I initially signed in, I entered the main password for my Proton account. I then configured a PIN to lock Proton Pass, with an automatic locking delay of two minutes.
Once Proton Pass is locked, the PIN is correctly required to access the vault. However, when I open Proton Mail in the same browser, my mailbox opens immediately, without asking for either my main password or the Proton Pass PIN.
It therefore appears that the session created by Proton Pass keeps the entire Proton account authenticated, even though Proton Pass itself is shown as locked.
In my view, this creates a false sense of security. The PIN protects access to the passwords stored in Proton Pass, but anyone with access to the browser can still open and read all the emails associated with the same Proton account.
I understand that a Proton session may be shared across your different services. However, users should at least be able to enable an additional layer of protection for sensitive services.
I would therefore ask you to consider one or more of the following solutions:
Require the Proton Pass PIN before allowing Proton Mail to open automatically.
Allow users to disable automatic sign-in to other Proton services from a Proton Pass session.
Provide an independent lock for Proton Mail using a PIN, password, or biometric authentication.
Allow users to choose which Proton services are permitted to reuse an existing session.
Ideally, this behavior should be configurable, so that security-conscious users can separate Proton Pass from Proton Mail without having to use multiple accounts or different browsers.
Could you please confirm whether this behavior is intentional and whether there is currently any setting that prevents Proton Mail from opening automatically when a Proton Pass session is active?
I would also appreciate it if you could forward this request to your product and security teams.
Kind regards,
Stéphane