2 Factor Authentication (2FA) adds an additional layer of security to your ProtonMail account by adding an additional verification to the login process to protect your account. Currently, ProtonMail supports the OTP protocol, so accounts with 2FA enabled will be prompted to enter a 6-digit code upon logging in. This 6-digit code will be generated by an app that is installed on your mobile phone.
This means that even if your password is somehow stolen, an attacker still cannot get into your account without also having access to your mobile phone. Because of this security benefit, we recommend enabling 2FA on your account.
In order to use 2FA you must have access to a second device with an authenticator application installed, through which you will receive verification codes to authenticate your login. Below you will find some different Authenticator application options. You must install one of these apps first on your mobile phone before you can use 2FA.
Setting up Two Factor Authentication in ProtonMail
1. Visit the Security tab within the Settings of your account. This can only be done through the web version of ProtonMail found at mail.protonmail.com
2. Select Enable Two-Factor Authentication
3. Open the authenticator app you have chosen on your mobile device and select the option to scan a QR code, or manually enter the authentication key. To scan the code, point your devices camera at the QR code seen in the setting of your ProtonMail account. (Note: the image below is a demo, do not scan it. Scan the image shown in your account.)
4. You will see the following modal that requires you to enter the Login password of your account, along with the two-factor passcode which you will see in the authenticator application you are using.
5. ProtonMail will also provide you with several one-time use recovery codes. Please save these codes in a secure place and do NOT lose them. If you ever misplace or lose your authentication device (mobile phone, etc) these codes will be the only way to log into your account. If you ever lose your second factor device, you can enter these codes instead of the 6-digit authenticator code. Note, each code can only be used once, and they must be used in the listed order, so please save all the codes.
How to authenticate from multiple devices
If you wish to receive you six-digit authentication codes on multiple devices — say, your phone and your tablet — you must have an authentication app installed on each device. Then follow the steps below:
- If you have already enabled two-factor authentication you will need to disable it.
- Then navigate to Settings -> Security and click on “Enable two-factor authentication”.
- Scan the QR code using the authenticator app on each device. You can also make a screenshot of the QR code and save it for later to scan with your other devices.
Or, instead of scanning the QR code, the other option is to click on the “Enter key manually instead” button.
You will be provided with a key that you will need to enter manually in the 2FA app.
For example, below are some screenshots showing how to enter the key manually using Google Authenticator:
If the 2FA is not working, please check the following article for the most common 2FA login problems.
Optional: Switch to Single Password Mode (for Legacy users)
As of version 3.6.0, ProtonMail has switched to supporting a single password mode and this is the new default mode for newly created accounts. The single password mode combines the legacy Login and Mailbox password into a single password without compromising security or privacy. Existing users have the option to stay in two password mode, or switch to single password mode. For users that find having to enter a Login Password, 2FA code, and Mailbox password to access email too cumbersome, we recommend switching to Single Password mode to reduce the number of password prompts by one.