ProtonMail v3.6 Release Notes

protonmail 2fa and single password

ProtonMail 3.6 introduces the most requested feature from the ProtonMail community with almost 1900 votes – Two Factor Authentication.

Note: Due to the way we roll out new versions, ProtonMail 3.6 has not been released to everybody yet, if you don’t see it yet, you will see it soon.

At ProtonMail, security is always our highest priority, and we are constantly improving our technology to ensure that the email encryption we provide stays at the cutting edge. Adding Two Factor Authentication, is an important milestone in our security roadmap. For those of you unfamiliar with Two Factor Authentication, we will be publishing a longer blog post next week discussing the advantages and practical usage of Two Factor Authentication.

With ProtonMail 3.6, we are not only introducing Two Factor Authentication, we are also rolling out an entirely redesigned authentication system leveraging the research our team has been conducting over the past year. This includes the introduction of a Single Password Mode, which allows ProtonMail to be used with a single password instead of two passwords, without compromising security or privacy. Technical details of how we accomplished this can be found here. Note, we will continue to support the legacy Two Password Mode.

Both of these features are also already supported in the current version of the ProtonMail secure email mobile apps for Android and iOS. Together, these features make our 3.6 release a giant step forward in our mission to make ProtonMail the world’s most secure email service.

ProtonMail does not show advertisements or abuse your privacy to make money. Paid accounts are our only source of funding. Please consider upgrading to a ProtonMail Plus account so that we can continue to operate the service and fund further development.

 

Two Factor Authentication

2 Factor Authentication ProtonMail

Two Factor Authentication (2FA) adds an additional layer of security to your ProtonMail account by adding a second step (or second factor) to the login process to authenticate your identity. This helps protect your account from unauthorized access. A comprehensive guide on how to set up 2FA with ProtonMail can be found here.

One Password Mode

ProtonMail Single Password Mode

One Password Mode removes the need to remember two passwords (Login and Mailbox), making it even easier to use ProtonMail. One Password Mode makes it easier to use 2FA by reducing the number of authentication prompts by one. Due to security enhancements that we have made to ProtonMail’s authentication system, we are able to achieve One Password Mode without compromising security or privacy. You can learn how to switch to One Password Mode by following the guide here. Note, we will continue to support the legacy Two Password Mode.


Version 3.6 Full Release Notes

New Features

Bug Fixes

  • Show Images no longer collapses the blockquote below
  • Edit Identity now visible on inactive addresses
  • Fixed storage space indicator bar showing incorrect amount on Windows
  • CSS not showing properly within message body
  • Fixed an issue where sometimes the number of unread messages is -1

Improvement

  • Show a warning message when non-ProtonMail users respond to an Outside Encrypted message the maximum of 5 times.

 

As always, your feedback is appreciated. Please report bugs using ProtonMail report bug feature, or send us a support request here: https://protonmail.com/support

About the Author

Admin

We are scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online. Ensuring online privacy and security are core values for the ProtonMail team, and we strive daily to protect your rights online.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

69 comments on “ProtonMail v3.6 Release Notes

  • Thank you for this release, although I personally don’t see much improvement for my particular usage. Single Password may be fine (waiting for tomorrows blog post because I have no idea how you accomplished making the login single-password without compromising security… but that’s certainly me not being too much into security-tech). I hope this frees resources to finally make multi-user-accounts (family-accounts) a reality for paid accounts. Keep up the good work!

    Reply
  • Hurrah! And well done. Have been with you guys from the start and every penny spent has been worth it so far. Thank you for making PM one of the safest places to do email.

    Reply
  • But I still want to use the old two password solution, this will still be available, right? As long as you don’t remove the old method…

    Reply
  • Thank you! This is a big feature for sure, especially for a high security email service.

    Any word on if IMAP/POP3 support is still planned to roll out by the end of the year?

    Reply
  • Thanks for your hard work since the beginning !
    A little question on one-password mode : the benefit of 2-passwords mode is that only the user know the mailbox password that protect the pgp key, so you can legitimlly decline end-to-end decryption when you receive a request. In one-password mode, this key is derivated from user password (stored in server) with a salt and an algo (like sha or whatever) that you know, so you can derivate on the server if you want ?
    I don’t think you want to break the user privacy, but with this change, can an authority enforce you to do this derivation to decrypt mailbox ?

    Reply
  • More great work from the geniuses at ProtonMail! Two-factor auth was a major missing piece. Now we just need full PGP support for communicating with non-protonmail users and I will be in an encrypted heaven.

    Reply
    • Totally agree – it’d be great to integrate calendar – I’d lose all my current calendar functionality on my custom domain without it.

      Reply
  • I greatly support this feature, unfortunately, I don’t have a smartphone, I’m still using my old flip-phone, is it possible to use SMS for 2FA like Gmail does? And is it possible to use 2FA alongside the Mailbox password, making into 3FA?
    Thanks!

    Reply
      • Thanks for the reply Admin,
        2FA with 2 password mode is a great idea, it adds an extra-level of protection to another extra-level of protection! Great job!
        What about getting the 2FA codes through your recovery email?

        Reply
    • You can always use KeePass with OTP plugin giving you the same functionality as Google Authenticator and it works on mobile (at least Android) too: Keepass2Android

      Reply
      • If you are using KeePass to store your password AND generate the second factor, then it’s completely useless. An attacker only has to copy your database, like when you only use 1FA.

        The key is to use another independent factor.

        Reply
  • Is your mobile app ready for the change? I have enabled 2FA for my email account and switched to 1 password authentication. Whenever I try to log in on my android device I got prompted to enter my mailbox pass, which I provide, and then it says that the password is invalid. I’m confused.

    Reply
  • Sounds good, but why I had to reset my password after login with correct login and password… I lost all my emails inbox…

    Reply
    • Yeah, I don’t get it. Lots of people wanted Yubikey. It should at least be an option. Also far more private. I don’t want anything on my phone to do with Protonmail (I don’t use the app), and I don’t want Google Authenticator/Authy, etc. So no 2FA for me.

      Why, oh why no Yubikey?

      Reply
  • Hi,

    does it still work in such a way that after restarting the browser you need to log in again, even if you haven’t explicitly logged out? Because that’s really annoying :\ I restart my browsers all the time because I’m constantly running out of memory…

    Reply
  • Would be nice to have 2FA with table of codes as an option too. Not only the app on smartphone. What if my phone is lost, how do I log in?

    Reply
  • I´m also suprissed about not going the Yubikey way. Find it more secure way then 2FA app´s. The major things may be that the people should buy the key and app is free. But the cost of security would be not that hard to pay.

    Reply
    • https://plus.google.com/+KonstantinRyabitsev/posts/4a7RNxtt7vy
      you should read this post above ! (blackbox)
      Afaik yubikey are made in usa/sweden , some organizations or companies need it for managing & surveying their staff (they have guards & the help of the police force when something wrong happens and you ? ) .
      A single user should be prudent when he read that is good for yahoo, google, and another border line account/identification.
      The yubikey are not yet signed (by you ?) & verified (by an independent audit ?) but it is the problem with almost usb key : i like the smart card option.
      This product is a gadget , i should be more positive if someone serious should create the same product everywhere (opensource) but it seems that only yubico do it so … nice tool but nothing more.
      By the way if someone bought 500 keys he could distribute a lot of unity at the cost of 1 $ _ that is a very good option for the Christmas day (keyparty ?).
      Learning encryption and be trained for that is a nice thing and yubikey allows it easily but i have not at all confidence in this “unknown device” so i think it is a good decision that protonmail not support yubikey (but will do it maybe in a near future who knows ?).

      Reply
      • Ok santa_y_maria you maybe be right about turning the Yubikey now in to the “black box”.I don´t trust anyone neither if it´s not open source. But still the basic principle of hardware key´s like Yubikey is the anti-phishing and simplicity of which you access and provide the 2FA. The 2FA by app´s like Google Aut. or Authy is just that same as it was now with the two password access to ProtonMail account. You only fill another (third) box of numbers by keyboard.

        Reply
      • Yubico support open source extensively. Their product is not fully open souce primarily for reasons of hardware security. They have detailed this at length: https://www.yubico.com/2016/05/secure-hardware-vs-open-source/

        When it comes to open source hardware, I doubt that you – or anyone who is likely to read this – uses open source hardware. Are your motherboard, processor, hard drives, graphics card, and all the rest open source? No.

        Reply
        • hi,
          let’s say that the new policy of yubikey gives to the small firms & large enterprises a better control improving their security.
          This choice for a single user even if it should provide the 2fa is at your own risk.
          Supporting a usb_thing that you do not trust is a potential risk that protonmail must not take : it should be irresponsable.
          thx.

          Reply
  • Took since 2013 not to have useable contacts and for PM to use a single password system. Yubikey should be on track for the second half of 2037.

    Reply
  • So the 2FA is only via smartphone? I was hoping for a usb or yubikey option. I don’t own a smartphone and don’t want one. That’s disappointing.

    Reply
    • TOTP protocol (the one implemeted by Google Authenticator) is implemented for various systems. You can use WinAuth for Windows or jAuth (other systems) to generate 2FA codes.

      Reply
  • Note: Due to the way we roll out new versions, ProtonMail 3.6 has not been released to everybody yet, if you don’t see it yet, you will see it soon.

    Could you maybe write a piece about how exactly you roll out new releases?

    Reply
  • I’m exited to see you guys were able to implement SRP so quickly. It’ll definitely be a big improvement in terms of usability and security (thanks to 2FA). Keep up the great work!
    P.S, ECC-keys might take some load of the server (and clients) so that might be worth looking into.

    Reply
  • There are legitimate reasons why Google Authenticator and similar apps aren’t sufficient. They are good to have as an option, but there should be more options, and Yubikey or Nitrokey would solve these.

    It is possible to be in a situation where one of more of these apply:
    1. Security & privacy are very important to you
    2. You have wired internet
    3. You do not have mobile access
    4. You don’t want to carry your phone with you/only a burner phone
    5. You access PM only via a computer, and don’t want to have any sign of PM on your phone
    6. You don’t want to need to have a Google account to get an app to get into your private email/let Google know you use protonmail.

    For this reason, the 2FA PM have unveiled is probably good for some people, but not good for many others.
    Yubikey/Nitrokey would be a good additional option. Many people asked for this, as someone noted above.
    The argument that Yubikey costs money can’t be a good one, since many people buy them and having a phone is much more expensive.
    For those worried about open source: none of your hardware is likely to be open source, so this argument doesn’t work against Yubikey.
    Secondly, Protonmail have not given us PGP import/export and so we can’t change our encryption keys and we have no way of knowing that PM aren’t encrypting all our emails with their own keys.

    So please, Protonmail, give us Yubikey support. Just like Mailbox.org already have.

    Reply
    • I understand your concerns but some of them are solved by gerating TOTP 2FA codes on your PC. Check tools like WinAuth or jAuth. If you dislike Google Authenticator there are other similar apps available.
      You can also give up on apps and just print a new list of one-time codes from time to time.

      Reply
  • I have a request, STOP FUCKING INFECTING MACHINES
    Hello!

    All Your files are encrypted!

    For more specific instructions, please contact us as soon as possible:

    chipme@protonmail.com

    Attention: DO NOT USE ANY PUBLIC DECRYPTERS! YOU CAN DAMAGE YOUR FILES!

    Kind regards,

    Support Team.

    Reply
    • Thanks for informing us about this account, it is clearly being used for criminal purposes and we will be shutting it down immediately.

      Reply
      • You are most likely right, and I have seen this kind of scam played on other email providers, it is normally a bot posting the messages, but perhaps take into consideration too that anybody who wants an email account closed could do this to damage reputation.

        Anyway, thank you for 2FA, it is a must have for any email provider. Protonmail is going in the right direction.

        Reply
  • This is a great improvement! Would it be possible to expand 2FA login by giving the option to remember a computer if you so choose?

    Reply
  • I appreciate the addition of two-factor authentication. Hard work. Thanks.
    My query is not related to “ProtonMail v3.6 Release Notes” but I do not know where else to direct it.

    Where on your “to do” list is the feature of multiple accounts for a custom domain? I know several businesses that are waiting and I would like to get my family to have their own accounts and share my custom domain. The last I read in some blog posting, it was going to be available fall 2016. Obviously that has been pushed. Is there an approximate time period? It would seem to me that such a feature could require separate paid accounts. Increase in revenue stream??
    Thanks and I appreciate protonmail and support it through a paid subscription, .

    Reply
  • I wish the android apk was available for people without google play store. I am running copperheadOS which does not feature the play store and there is no way to get the android app

    Reply
  • Not really a bug per se, but I need to be able to select an email then select a folder to save it in. Currently an email is saved only in the folder according to the email sender, or else I don’t know how to select a folder to save it to.
    Also how do
    I set up a website for a company?

    Reply