Proton Authenticator shares attack surface with Proton Pass account login — defeating its purpose
I want to raise something that I think deserves more attention in the security design of Proton Authenticator.
The current setup creates a single point of failure: if an attacker compromises your Proton account credentials, they gain simultaneous access to both your passwords and your TOTP codes stored within the ecosystem. This effectively collapses a two-factor authentication scheme into a single-factor one from the attacker's perspective — the eggs-in-one-basket problem.
The core value proposition of 2FA is that credentials and the second factor exist in separate threat domains. When both live behind the same login, that separation is largely illusory.
A meaningful mitigation would be to introduce a distinct, independent authentication layer specifically for accessing the 2FA/TOTP vault — for example:
- A separate PIN or passphrase not tied to the main Proton account password
- Hardware key (FIDO2/WebAuthn) required specifically to unlock the TOTP functionality
- Biometric re-authentication at the app level before revealing or auto-filling OTP codes
This would ensure that even a fully compromised Proton account doesn't automatically hand over the second factors protecting users' external services.
This seems like a logical next step for a platform positioning itself as a security-first alternative. Curious whether others feel this gap is as significant as I do, and whether the team has plans to address it.
EDIT: If there is indeed a way to accomplish this already, its not clear from the presentation of the feature and app that this is achievable, and should then be made a stronger focus point
- a current lack of separation breaks the entire security model by putting all the eggs in one basket.
-
Anonymous
commented
This is indeed a real problem and very dangerous problem.
Example Scenario:
Proton User stores passwords in Proton Pass. User stores TOTPs in Proton Authenticator. User activates account sync feature in Proton Authenticator.Bad actor compromises / steals Proton User's recovery passphrase, thereby enabling bad actor to disable 2FA and reset the user's account password. Now the bad actor has access to all passwords stored in Proton Pass. Next the bad actor installs their own copy of Proton Authenticator and turns on the sync account feature and enters the new account password. Instantly last synced copy of all TOTPs from the user's Proton Authenticator is synced to the bad Actor's Proton Authenticator. The bad actor now has all the passwords and 2FA TOTPs they need to break into your banking and other critical sites.
Although the account sync feature is a great idea, how it passed security and pen testing makes me wonder. And yes when you change the account password the existing instances of Proton Authenticator stop syncing and is logged out; but whatever was last synced is still in the synced account and that is what will be downloaded to the bad actor's Proton Authenticator.
-
boult commented
That’s a valid concern separating authentication layers would definitely strengthen security and reduce risk. Just like protecting digital access, choosing trusted and secure sources for daily essentials also matters explore quality products at https://newdaynaturals.com/.