My use case is that I initially set up TOTP-based multi-factor authentication, and I did not save the QR code because I did not realize that I would not be able to access it again or that a single, shared QR code had to be used for all authenticator apps.
Years passed, and I've now gotten a new phone. In the interim, I registered multiple security keys, including one off-site backup, and I cannot change the TOTP authenticator without first deleting all security keys, which I would then have to re-add.
Another use case is wanting to individually revoke authenticator apps that have been compromised. If I lose a hardware security key, Proton allows me to individually revoke that security key; but if I lose a phone, or a software vulnerability exposes the TOTP secrets held on that device, I can only revoke that TOTP secret by turning MFA entirely off and back on, deleting all existing security keys in the process.
Being able to individually add and revoke TOTP authenticator apps would resolve both of the above use cases. Being able to re-initialize TOTP authentication without deleting existing hardware security keys would satisfy the first use case but not the second one.
It seems as though the inability to disable TOTP MFA without turning off (and deleting key registrations for) security key MFA is intentional, forcing users to have a backup authentication method, but the current implementation has in fact achieved the opposite effect, limiting my access to backup authentication methods until I make time to collect my backup security keys to re-register them, because I do not routinely carry my old phone with me.
Peter S
My use case is that I initially set up TOTP-based multi-factor authentication, and I did not save the QR code because I did not realize that I would not be able to access it again or that a single, shared QR code had to be used for all authenticator apps.
Years passed, and I've now gotten a new phone. In the interim, I registered multiple security keys, including one off-site backup, and I cannot change the TOTP authenticator without first deleting all security keys, which I would then have to re-add.
Another use case is wanting to individually revoke authenticator apps that have been compromised. If I lose a hardware security key, Proton allows me to individually revoke that security key; but if I lose a phone, or a software vulnerability exposes the TOTP secrets held on that device, I can only revoke that TOTP secret by turning MFA entirely off and back on, deleting all existing security keys in the process.
Being able to individually add and revoke TOTP authenticator apps would resolve both of the above use cases. Being able to re-initialize TOTP authentication without deleting existing hardware security keys would satisfy the first use case but not the second one.
It seems as though the inability to disable TOTP MFA without turning off (and deleting key registrations for) security key MFA is intentional, forcing users to have a backup authentication method, but the current implementation has in fact achieved the opposite effect, limiting my access to backup authentication methods until I make time to collect my backup security keys to re-register them, because I do not routinely carry my old phone with me.