This is the key problem of having an online password manager. I need to authenticate to it in a human-compatible way but it also has to resist automated unauthorized access. I'm not going to remember an actually really strong password and I'm likely to lose or damage any physical tokens used for 2FA. How can this be resolved?

With an offline password manager, at least there is the barrier of having access to the offline password database in the first place, so the passphrase to open the password database can be human-compatible without excessive risk of unauthorized access.

Even with a hybrid model (core credentials kept offline, frequently used / less critical credentials kept in Proton Pass) I always worry when Proton Pass needs my **core Proton Account password** to access it, the same password that also opens my Proton Mail and Proton Drive etc. that are much more sensitive than what I keep in Proton Pass.

Another way of saying the above: Proton Pass requires a password that opens it, while I only store in Proton Pass much less sensitive information compared to every other Proton app that requires the same password.

At a minimum, Proton Pass needs to accept a different password than the Proton account password... but I don't think that's good enough to fully trust Proton Pass to secure all of my credentials.

Yeah I don't know haha.

Is having access to the offline password database exactly equivalent to demonstrating access to a physical token or OTP key? (where would you store the OTP key reliably while you can still generate OTPs?)

still the most critical feature to separate the danger and prevent the deadlock !!!

I wanted to switch over to proton pass from bitwarden but I didn't because of this issue.

To second what John Doe said: The Deadlock Problem -- This feature becomes critical when you fully commit to the Proton ecosystem.
Here's the scenario: You follow best security practices and generate a long, complex password for your Proton account. Naturally, you store it in Proton Pass. But now you have a circular dependency. To access Proton Pass, you need your Proton password. To retrieve your Proton password, you need Proton Pass.

This creates a genuine deadlock situation, especially in disaster recovery scenarios where you might be logging in from a new device without any cached sessions.
The workaround today is to either memorize your Proton master password (defeating the purpose of a password manager) or store it somewhere outside of Proton (defeating the purpose of a unified ecosystem).
Allowing Proton Pass to have its own independent unlock method (a separate PIN, passphrase, or biometric) would solve this elegantly. It would let users safely store their Proton credentials inside Proton Pass without risking a lockout.
For users who trust Proton with everything, this is not a convenience feature. It is essential.

YES. the password manager and main proton account should be independent from one another.

If you use biometric like fingerprint this isn't a major issue

+1

Seems to me like a critical feature, now you have to print out the recovery kit in case of emergency. And one pass for all the Proton apps seems not very safe in my opinion ;)

This is really a critical feature, the whole point is to have a password manager is to have a single password to give access to all your online accounts.
Proton may argue that the Proton account passpord is that one single passpord, but in what world having your passpord manager credentials tied to your email’s is good idea for a security perspective.

Please add to android 🙏

Authenticator: I was loath to use Proton Authenticator, since I already use Proton Mail. I figured I could use it as a standalone app, without syncing across devices, by setting up all my devices at the same time. It was cumbersome, since I had to delete some OTP setups and start over, but it worked fine.

HOWEVER, I use the app on my iPhone. The only way to secure it at all is to use the same password or FaceId as my phone. I don't even need a password, just the ability to create/select my own PIN.

Proton Pass and Authenticator should be in separate message boards. I fear my Authenticator comment will be obscured by all the Proton Pass comments.

The Deadlock Problem

This feature becomes critical when you fully commit to the Proton ecosystem.
Here's the scenario: You follow best security practices and generate a long, complex password for your Proton account. Naturally, you store it in Proton Pass. But now you have a circular dependency. To access Proton Pass, you need your Proton password. To retrieve your Proton password, you need Proton Pass.

This creates a genuine deadlock situation, especially in disaster recovery scenarios where you might be logging in from a new device without any cached sessions.

The workaround today is to either memorize your Proton master password (defeating the purpose of a password manager) or store it somewhere outside of Proton (defeating the purpose of a unified ecosystem).

Allowing Proton Pass to have its own independent unlock method (a separate PIN, passphrase, or biometric) would solve this elegantly. It would let users safely store their Proton credentials inside Proton Pass without risking a lockout.
For users who trust Proton with everything, this is not a convenience feature. It is essential.

lmao - can't believe this is a request, such as basic feature to have. Come on Proton!

The feature you're requesting be removed provides two-stage security. Your Proton Pass account can't be compromised without hacking it, but making the change you requested would make it a more achievable target for attackers.

I support this idea

tru

I support this

I agree that I want to secure Proton Mail long with Proton Pass (instead of the other way around).

Excellent idea, especially if the proposed option to keep Proton Pass open until your system locks isn't done. Very annoying to have to open it ever hour (or more frequently, depending on what option is selected.)