2020/02/17 10:22:03 PM UTC

protonmail’s 2FA is fucking useless lol

as long as someone knows your password (and has access to your recovery email), they can just reset your password and then use the key import to get all the emails back using your original password

still, this requires they have your recovery email under their control. so i guess it’s better than nothing. or something. idk

2020/02/17 10:31:31 PM UTC

@sylveon 2FA is usually a sly way to mine more information about you more than anything.

The way to do it correctly is to expose a secret over a secure channel (ex. the QR code via SSL) which is entombed in a completely separate physical device. Any method other than this is data mining.

2020/02/17 10:32:36 PM UTC

@icedquinn they did use TOTP rather well and obviously weren't trying to do it for data mining

they just accidentally left in a loophole

whatever. it requires someone to hack your other email before that anyways

2020/02/17 10:33:28 PM UTC

@sylveon mfw not using recovery emails :blobcatsweats: