Separate 2FA into it's own application.
Currently, ProtonPass stores the 2FA secrets in the same place it stores login information.
Functionally, this means that there is no second factor. All necessary account access information is stored in one place, and is a single point of failure. If ProtonPass is ever compromised, the attacker would get full and total access.
To fix this, 2FA should be split into it's own separate application with it's own separate password.
CatatonicMan
shared this idea
-
Oliviero Talamo
commented
I agree.
It is a contradiction, nonsense, to store distinct site access data (or of other thing) in a single place with a single access mehtod, for instance the PIN of the browser extension or else the fingerprint for the desktop application.
Obviously it is important that the vaults data are crypted with a strong method, and I see no problem if ProtonPass stores also all 2FA (or possibly MFA) data of a user, but, what I see from CatatonicMan message, the important is how a user accesses the distinct categories of stored security information.
The problem here is in the user safety. If his/her password/PIN is stolen (or even fingeprint), all the advantages of 2FA or MFA approach are lost.
So, at least, there should be distinct passwords/ PINs to access the distinct stored categories of 2FA data (for instance password and OTP code).
For instance, there is a KeePass OTP plugin that allows to set a different pasword for the OTP data access.
In fact, I currently use ProtonPass, but I save OTP data in a different place
I am a faithful user of all Proton products and agree with and believe in all the security/ safety aims of Proton.
Tehefore I'd like to use ProtonPass in a full way