ProtonMail does not support Yubikeys. I would like to ask all of HN to think seriously about this and what this means. ProtonMail does many things exactly right. This 1 oversight suggests something very very scary going on at the organization.

HN does not allow you to delete comments. I would ask that if you think that not having Yubikeys does not require a significant and immediate answer from the ProtonMail team, to sign your name (I will) at the bottom of your response. If you can’t do that, perhaps provide a burner email address.

Dan Ehrlich

[email protected]

CISSP, CCSP, CISM

EDIT: spacing between my signature, change of comment to commentS

uallo

Can you elaborate why not supporting Yubikeys (yet) "suggests something very very scary going on at the organization"?

rshnotsecure

Yubikeys are one of the few forms of 2FA that are highly resilient to being phished. Google has not only an option to restrict SMS 2FA, but an additional one below to restrict “all 2FA options except security keys” in GSuite.

It has been known for some time that TOTP 6 digit codes are easy to intercept. SMS Codes can also be intercepted, or gained via SSB7 vulns/ SIM jacking. This made things like Google Authenticator or Authy more resilient but certainly still quite vulnerable.

To intercept and exploit MFA in ProtonMail would absolutely trivial for a skilled single person to do. DNS poisoning + this github library would be all you needed: https://github.com/kgretzky/evilginx2

EDIT: replaced quotemark with asterisk