Secure Links: Restrict access to specific email addresses with OTP verification
Currently, Proton Pass Secure Links offer two access controls: expiration date and view count limit. Both are useful, but they share a fundamental weakness — anyone who obtains the link can access the shared item within those constraints.
Proposed feature:
Allow senders to restrict a Secure Link to one or more specific email addresses. When a recipient opens the link, they are prompted to enter their email address. If it matches an address on the allowlist, Proton Pass sends a one-time code to that address. Only after successful verification is the item revealed.
Why this matters:
This ties access to a verified identity rather than mere possession of the link. In professional contexts — sharing credentials with a client, a contractor, or a specific colleague — it ensures that an accidentally forwarded or intercepted link cannot be used by an unintended party.
Prior art:
1Password's "Psst!" item sharing already implements this exact flow. The recipient enters their email, receives a one-time verification code, and only then sees the shared item. This is a proven UX pattern that works well.
What this is not:
This is not a request to require recipients to have a Proton account. The whole value of Secure Links is that they work for anyone. Email OTP verification preserves that while adding a meaningful identity check.
Summary of requested controls (combined):
- Expiration date (existing)
- View count limit (existing)
- Restrict to specific email addresses + OTP verification (requested)
This would make Proton Pass Secure Links genuinely suitable for professional credential sharing, not just casual personal use.