Isolated Password for Authenticator Sync

As a security-conscious Proton user who uses the Proton Authenticator App,
I want to establish a dedicated, separate password exclusively for the account sync feature on the Proton Authenticator App,
So that a compromise of my primary Proton account credentials does not automatically grant a bad actor the ability to sync my TOTP seeds to a Proton Authenticator App they control (this assumes the bad actor has also disabled 2FA for the Proton account).

Acceptance Criteria (AC)

AC 1: Separate Credentialing

The user can configure an independent "Authenticator App Sync Password" inside the Proton Account Settings.

By default, this password must not be identical to the primary account password.

AC 2: Separate Credential Update

The user can update the independent "Authenticator App Sync Password" inside the Proton Account Settings without first needing to enter the existing password (this is to cater for the forgot password scenario in a way that does not block the user from changing the password)

By default, any update of this password must also not be identical to the primary account password.

AC 3: TOTP Sync Isolation

The primary Proton account password alone must be insufficient to trigger a sync of the TOTP seeds on a new device if an independent "Authenticator App Sync Password" has been set.

AC 4: Emergency Sync Revocation (The "Kill Switch")

If the user changes this separate Authenticator password from the web account settings, the system must immediately terminate sync sessions across all connected Proton Authenticator apps.

Existing apps must stop syncing until their account sync credentials have been updated to use the new password. This is to prevent a bad actor using this technique in order to synced access to TOTPs after account compromise (this assumes the bad actor has also disabled 2FA for the Proton account).

AC 5: Attacker Mitigation (expansion of AC 4 above)

If an attacker changes the sync password from a compromised account, it will not cause existing, legitimate Authenticator App instances to push/sync their current data without the sync password being updated within those instances (this assumes the bad actor has also disabled 2FA for the Proton account).