ProtonMail security checklist for new account owners

This article explains how new ProtonMail account owners can maximize the security of their new account. ProtonMail secures your account with features including end-to-end encryption; minimum tracking or logging of personally identifiable information; independently audited, open source cryptography; zero access architecture; and SSL secured connections

However, no system is 100% secure, and ProtonMail is no exception. That’s why we compiled a list of 11 key steps that reinforce the security ProtonMail offers.

We recommend that all ProtonMail users go through this checklist regularly. However, these steps are particularly important at the creation of your ProtonMail account. Starting off on the right foot builds a strong defense against any attempts to expose your data and creates good security habits.

Enable two-factor authentication (2FA) 

2FA protects your account even if someone steals your password. When you enable 2FA, ProtonMail asks you at each login for a six-digit code as an additional layer of security. A separate app generates the code. Find out more about how to enable 2FA in ProtonMail

Choose strong passwords and keep them safe 

We recommend using a password manager that generates long, random passwords and stores them with end-to-end encryption. Never reuse passwords. Learn more about strong passwords.

Don’t forget your password! You will not be able to read your old emails if you forget it, as the password is linked to your encryption key. 

Encrypt emails to non-ProtonMail contacts

PGP encryption can dramatically improve the security of your communications. ProtonMail allows you to exchange end-to-end encrypted emails and attachments with ProtonMail and non-ProtonMail account owners in a simple, reliable way. 

Encrypt and verify your contacts

Proton Contacts is the world’s first encrypted contacts manager. For users with paid plans, you have the ability to store certain contact details, such as phone numbers and mailing addresses, using zero-access encryption and digital signature verification. These tools provide a cryptographic guarantee that no one has tampered with your contacts, not even us. 

You can also use the trust Public Keys option when you receive a message from a trusted ProtonMail contact. The feature saves the contact’s public key and protects against tampering.

Note: ProtonMail has access to your contacts’ display names and email addresses in order to route your emails to the correct recipient and to provide advanced features such as auto-complete, spam filtering, and whitelists. 

Check authentication logs 

You can check your account for suspicious logins through the Authentication Logs feature available in your ProtonMail settings. Please note that ProtonMail will have access to your successful login attempts if you decide to keep this feature on.

Log out other sessions

If you are concerned that someone else has access to your account or you forgot to log off on a public device, you can log out remotely through your settings. Unless you explicitly log out or change your password, you will stay logged in to your account for up to six months. Learn more about logging out of other sessions.

Beware of phishing

ProtonMail will never ask for your login credentials. Enter your credentials only into our official apps and websites:

ProtonMail provides additional anti-phishing protection with PhishGuard, DMARC protection, and link confirmation. If you receive a suspicious email, never click on the links or download attachments. 

Report phishing to ProtonMail

If you receive a suspicious email, you can report it through our Report Phishing feature. 

Enable AppKey for ProtonMail iOS app 

If you have iOS, AppKey adds another layer of protection to your ProtonMail data. 

If your device is compromised and an attacker gets the key that unlocks your ProtonMail data, AppKey stops the attacker from accessing the data by verifying their identity. The AppKey is directly correlated to your biometric information or your PIN.

Learn more about how AppKey works with Protonmail 

Keep your devices safe

The most effective hacks are often also the most low-tech. Device theft is one. Keylogging software and other types of spyware are also concerns. Be aware of your physical security when traveling and in public, and always set a password for your device. If you are using a public computer, don’t forget to log off!

DO NOT click the link or open the attachments in emails from unknown or unverified senders, particularly if the attachment is a .zip or .exe file. They might contain malware that compromises your device or your accounts.

Mark the message as spam to send future messages from that sender directly to your spam folder. 

Protect your Internet traffic with a secure VPN

ProtonVPN sends your Internet traffic through an encrypted VPN tunnel, so your passwords and confidential data stay safe, even over public or untrusted Internet connections. We designed ProtonVPN focusing on security, drawing upon the lessons we have learned from working with journalists and activists in the field. 

Following these 11 tips will strengthen the security of your account, but staying safe requires vigilance and work by both you and the person you are communicating with. To stay on top of privacy and security news, follow ProtonMail’s blog and social media for the latest announcements and releases. 

If you have any questions or concerns, you can contact our support team.