ProtonMail does not support Yubikeys. I would like to ask all of HN to think seriously about this and what this means. ProtonMail does many things exactly right. This 1 oversight suggests something very very scary going on at the organization.
HN does not allow you to delete comments. I would ask that if you think that not having Yubikeys does not require a significant and immediate answer from the ProtonMail team, to sign your name (I will) at the bottom of your response. If you can’t do that, perhaps provide a burner email address.
Dan Ehrlich
CISSP, CCSP, CISM
EDIT: spacing between my signature, change of comment to commentS
Can you elaborate why not supporting Yubikeys (yet) "suggests something very very scary going on at the organization"?
It has been known for some time that TOTP 6 digit codes are easy to intercept. SMS Codes can also be intercepted, or gained via SSB7 vulns/ SIM jacking. This made things like Google Authenticator or Authy more resilient but certainly still quite vulnerable.
To intercept and exploit MFA in ProtonMail would absolutely trivial for a skilled single person to do. DNS poisoning + this github library would be all you needed: https://github.com/kgretzky/evilginx2
EDIT: replaced quotemark with asterisk