protonmail’s 2FA is fucking useless lol
as long as someone knows your password (and has access to your recovery email), they can just reset your password and then use the key import to get all the emails back using your original password
still, this requires they have your recovery email under their control. so i guess it’s better than nothing. or something. idk
The way to do it correctly is to expose a secret over a secure channel (ex. the QR code via SSL) which is entombed in a completely separate physical device. Any method other than this is data mining.
they just accidentally left in a loophole
whatever. it requires someone to hack your other email before that anyways