Anonymous
My feedback
101 results found
-
4 votes
Anonymous
supported this idea
·
-
5 votes
Anonymous
supported this idea
·
-
3 votes
Anonymous
supported this idea
·
-
3 votes
Anonymous
supported this idea
·
-
3 votes
Anonymous
supported this idea
·
-
3 votes
Anonymous
supported this idea
·
-
6 votes
Anonymous
supported this idea
·
-
2 votes
An error occurred while saving the comment -
3 votes
An error occurred while saving the comment
Anonymous
commented
This is indeed a real problem and very dangerous problem.
Example Scenario:
Proton User stores passwords in Proton Pass. User stores TOTPs in Proton Authenticator. User activates account sync feature in Proton Authenticator.Bad actor compromises / steals Proton User's recovery passphrase, thereby enabling bad actor to disable 2FA and reset the user's account password. Now the bad actor has access to all passwords stored in Proton Pass. Next the bad actor installs their own copy of Proton Authenticator and turns on the sync account feature and enters the new account password. Instantly last synced copy of all TOTPs from the user's Proton Authenticator is synced to the bad Actor's Proton Authenticator. The bad actor now has all the passwords and 2FA TOTPs they need to break into your banking and other critical sites.
Although the account sync feature is a great idea, how it passed security and pen testing makes me wonder. And yes when you change the account password the existing instances of Proton Authenticator stop syncing and is logged out; but whatever was last synced is still in the synced account and that is what will be downloaded to the bad actor's Proton Authenticator.
Anonymous
supported this idea
·
-
4 votes
Anonymous
supported this idea
·
-
3 votes
Anonymous
supported this idea
·
-
7 votes
Anonymous
supported this idea
·
-
3 votes
Anonymous
supported this idea
·
-
2 votes
Anonymous
supported this idea
·
-
3 votes
Anonymous
supported this idea
·
An error occurred while saving the comment
Anonymous
commented
Simple solution. When pass create an alias it should put it in a dedicated alias vault or at the least allow the user to,in the alias config section, set a default vault where newly created aliases should be stored.
-
2 votes
Anonymous
supported this idea
·
-
1 vote
Anonymous
supported this idea
·
-
2 votes
Anonymous
shared this idea
·
-
211 votes
Anonymous
supported this idea
·
-
221 votes
Anonymous
supported this idea
·
Even if you use Proton Authenticator and don't store any TOTPs in Proton Pass, you will run into the same problem the minute you enable the account sync feature on Proton Authenticator. I'd say, remove TOTP out of Proton Pass entirely, and fix the account sync feature on Proton Authenticator to close all TOTP theft loopholes.