Two-factor authentication (2FA) is an additional layer of security for your ProtonMail account. With 2FA enabled, you will be prompted to enter a six-digit code upon logging in. This six-digit code will be generated by an app that is installed on your mobile phone.
This means that even if your password is somehow stolen, an attacker still cannot get into your account without also having access to your mobile phone. Because of this security benefit, we recommend enabling 2FA on your account.
To use 2FA, you must first install an authenticator app on your mobile phone and have access to your phone while logging in to your account. There are many authenticator apps to choose from. Below are a few options.
Setting up two-factor authentication in ProtonMail
1. Visit the Security tab within the Settings of your account. This can only be done through the web version of ProtonMail found at mail.protonmail.com.
2. Select Enable Two-Factor Authentication
3. Open the authenticator app you have chosen on your mobile device, and select the option to scan a QR code, or manually enter the authentication key. To scan the code, point your device’s camera at the QR code seen in the setting of your ProtonMail account. (Note: the image below is a demo. Do not scan it. Scan the image shown in your account.)
4. You will see the following modal that requires you to enter the login password of your account, along with the two-factor passcode which you will see in the authenticator application you are using.
5. ProtonMail will also provide you with several one-time use recovery codes. Please save these codes in a secure place and do NOT lose them. If you ever misplace or lose your authentication device (mobile phone, etc.), these codes will be the only way to log in to your account. If you ever lose your second factor device, you can enter these codes instead of the six-digit authenticator code. Note, each code can only be used once, so please save all the codes.
How to authenticate from multiple devices
If you wish to receive your six-digit authentication codes on multiple devices — say, your phone and your tablet — you must have an authentication app installed on each device. Then follow the steps below:
- If you have already enabled two-factor authentication you will need to disable it.
- Then navigate to Settings -> Security and click on “Enable two-factor authentication”.
- Scan the QR code using the authenticator app on each device. You can also make a screenshot of the QR code and save it for later to scan with your other devices.
Or, instead of scanning the QR code, the other option is to click on the “Enter key manually instead” button.
You will be provided with a key that you will need to enter manually in the 2FA app.
For example, below are some screenshots showing how to enter the key manually using Google Authenticator:
If the 2FA is not working, please check the following article for the most common 2FA login problems.
Optional: Switch to Single Password Mode (for Legacy users)
As of version 3.6.0, ProtonMail has switched to supporting a single password mode and this is the new default mode for newly created accounts. The single password mode combines the legacy Login and Mailbox password into a single password without compromising security or privacy. Existing users have the option to stay in two password mode, or switch to single password mode. For users that find having to enter a Login Password, 2FA code, and Mailbox password to access email too cumbersome, we recommend switching to Single Password mode to reduce the number of password prompts by one.