Two-factor authentication, also known as 2FA, is an authentication technique that provides you with a big increase in account security. Traditionally when you sign in, you provide a username, to indicate which account you want to access, and a password to prove you have permission to sign into it. Two-factor authentication adds a second stage of needing to prove you have permission to access an account.
Theoretically, a second factor could be any form of authentication such as another password, however, all platforms require a second authentication factor to be a physical device, typically a phone. Using a physical device as a second factor is done because it offers protection from weaknesses of passwords, specifically that someone else can know your password. It’s much more complicated to know someone’s password and have their phone to be able to access their accounts. This approach is known as “Something you know and something you have”.
Tip: 2FA tokens don’t necessarily need to be phones, there are other purpose-built authentication tokens available, however, not all platforms support them.
To enable two-factor authentication in ProtonMail, you need to click on “Settings” then switch to the “Security” tab, and click “Enable Two-Factor Authentication” in the top-left corner.
ProtonMail supports three mobile 2FA applications, available on both iOS and Android: Authy, Google Authenticator, and FreeOTP. Download whichever app you want to use, then scan the QR code that is presented on the webpage. Once, you’ve scanned the QR code, enter your account password and the 2FA passcode shown on your phone to synchronise.
Finally, you’ll be presented with a list of recovery codes. These codes can be used to regain access to your account if you lose access to your 2FA device. They are single-use only and can only be used in the specified order, so make sure to note all of them down, in order, in a safe location, and then to back them up.
Tip: You could store a copy of the codes on your phone, just in case you accidentally delete the authenticator app entry. You need to make sure that the codes are saved on another device though; if your phone gets stolen or lost, you won’t have access to the recovery codes on it either. Back up your recovery codes to a computer that stays in your home, or ask a trusted friend or family member to keep a copy for you.