I want to raise something that I think deserves more attention in the security design of Proton Authenticator.

The current setup creates a single point of failure: if an attacker compromises your Proton account credentials, they gain simultaneous access to both your passwords and your TOTP codes stored within the ecosystem. This effectively collapses a two-factor authentication scheme into a single-factor one from the attacker's perspective — the eggs-in-one-basket problem.

The core value proposition of 2FA is that credentials and the second factor exist in separate threat domains. When both live behind the same login, that separation is largely illusory.

A meaningful mitigation would be to introduce a distinct, independent authentication layer specifically for accessing the 2FA/TOTP vault — for example:

• A separate PIN or passphrase not tied to the main Proton account password
• Hardware key (FIDO2/WebAuthn) required specifically to unlock the TOTP functionality
• Biometric re-authentication at the app level before revealing or auto-filling OTP codes

This would ensure that even a fully compromised Proton account doesn't automatically hand over the second factors protecting users' external services.

This seems like a logical next step for a platform positioning itself as a security-first alternative. Curious whether others feel this gap is as significant as I do, and whether the team has plans to address it.

EDIT: If there is indeed a way to accomplish this already, its not clear from the presentation of the feature and app that this is achievable, and should then be made a stronger focus point
- a current lack of separation breaks the entire security model by putting all the eggs in one basket.