Last updated: March 15, 2026

To enable two-factor authentication on ProtonMail, go to Settings, then Security, click “Enable 2FA,” scan the QR code with an authenticator app like Aegis or Authy, and enter the 6-digit code to confirm. ProtonMail supports both TOTP (authenticator app codes) and WebAuthn/FIDO2 (hardware security keys like YubiKey)–TOTP is the fastest to set up, while WebAuthn provides stronger phishing resistance. This guide walks through both methods along with recovery strategies and developer integration patterns.

Table of Contents

Understanding ProtonMail’s 2FA Options

ProtonMail supports two primary authentication methods:

  1. TOTP (Time-based One-Time Password). Generated by authenticator apps like Aegis, Authy, or Google Authenticator
  2. WebAuthn/FIDO2. Hardware security keys like YubiKey or Titan

TOTP works offline and gives you control over where your secrets are stored. WebAuthn provides phishing resistance but requires physical hardware.

For developers building applications that integrate with ProtonMail, understanding these options helps when designing authentication flows for users who prioritize security.

Comparing TOTP vs. WebAuthn for ProtonMail

Feature TOTP WebAuthn/FIDO2
Setup complexity Low Medium
Phishing resistance Partial Full (origin-bound)
Works offline Yes Yes (key is local)
Cost Free (app) $25-$60 (hardware key)
Backup options Export secret; print codes Register multiple keys
Best for Most users; quick setup High-value accounts; journalists; activists

For most users, TOTP with a local authenticator app (Aegis on Android, Raivo on iOS) is the right starting point. If you handle sensitive communications or are a high-value target for phishing, invest in a FIDO2 hardware key.

Setting Up TOTP-Based 2FA

Step 1 - Access Security Settings

Log into your ProtonMail account and navigate to Settings → Security. You’ll find the two-factor authentication section near the bottom of the page.

Step 2 - Generate Your Secret

Click “Enable 2FA” to generate a TOTP secret. ProtonMail displays a QR code and the raw secret as a Base32 string:

JBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXP

Step 3 - Configure Your Authenticator

For developers who prefer command-line tools, you can generate TOTP codes manually using standard libraries:

Python example using pyotp:

import pyotp

The secret from ProtonMail settings
secret = "JBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXP"

Generate current TOTP code
totp = pyotp.TOTP(secret)
current_code = totp.now()

print(f"Your 2FA code: {current_code}")

Node.js example:

const TOTP = require('totp-generator');

const secret = 'JBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXP';
const token = TOTP.generate(secret);

console.log(`Your 2FA code: ${token}`);

Step 4 - Verify and Activate

Enter the 6-digit code from your authenticator app to complete setup. ProtonMail displays a set of recovery codes, store these securely, preferably in a password manager.

Step 5 - Back Up Your TOTP Secret

Before closing the setup screen, save the raw Base32 secret string in your password manager alongside your ProtonMail credentials. This lets you regenerate the TOTP entry if you switch authenticator apps or lose your phone.

Export it from Aegis (Android) or Raivo (iOS) as an encrypted backup after setup:

Store the encrypted backup on a different device or offline media from your primary phone.

Setting Up WebAuthn Security Keys

Hardware security keys provide stronger protection against phishing. To set this up in ProtonMail:

  1. Go to Settings → Security
  2. Select “Add a security key” under WebAuthn
  3. Insert your YubiKey and touch the sensor
  4. Name your key (e.g., “YubiKey Work”)

ProtonMail supports multiple keys, which is useful for redundancy.

Registering a Backup Key

Always register at least two hardware keys. If your primary key is lost or damaged, you need a registered backup key to regain access. A YubiKey 5 NFC as the primary and a cheaper Security Key Series as the backup is a common and cost-effective setup.

Key 1 - YubiKey 5C NFC (daily carry, USB-C + NFC)
Key 2 - YubiKey Security Key NFC (stored in home safe, backup)

Store the backup key separately from your primary. different bag, different location. A lost wallet or stolen backpack should not take both keys simultaneously.

Automating 2FA with ProtonMail API

For developers building tools that interact with ProtonMail, understanding the authentication flow is essential. ProtonMail’s API uses OAuth 2.0, and 2FA adds an additional verification step.

Here’s how you might handle 2FA in a Python script using the ProtonMail API:

import requests

def authenticate_with_2fa(username, password, two_factor_code):
    # Step 1: Obtain authentication challenge
    auth_url = "https://api.protonmail.ch/auth"
    initial_response = requests.post(auth_url, data={
        "Username": username,
        "Password": password
    })

    # Step 2: Submit 2FA code
    session_token = initial_response.json()["Token"]
    twofa_payload = {
        "two_factor_code": two_factor_code,
        "token": session_token
    }

    verify_response = requests.post(
        f"{auth_url}/2fa",
        json=twofa_payload
    )

    return verify_response.json()["access_token"]

Recovery Strategies

2FA introduces a single point of failure, losing access to your authentication device can lock you out permanently. ProtonMail provides several recovery mechanisms:

Recovery Codes

ProtonMail generates 10 single-use recovery codes during 2FA setup. Each code works once and cannot be regenerated. Best practices:

Secondary Email

Add a secondary email address in Settings → Security → Recovery. This provides a fallback verification method.

PGP Key Recovery

If you use PGP encryption with ProtonMail, your private key can serve as an additional recovery mechanism. Export your key and store it securely:

Export your PGP private key (from your local GPG keyring)
gpg --armor --export-secret-keys your@email.com > private_key.asc

Security Considerations for Developers

When building applications that handle ProtonMail credentials or 2FA tokens, follow these practices:

Never store plaintext passwords. use proper hashing with Argon2 or bcrypt. TOTP secrets are sensitive data and must be encrypted at rest. Implement rate limiting to protect against brute-force attacks on 2FA codes, and clear sensitive data from memory after use.

Example of secure secret storage in Python:

from cryptography.fernet import Fernet
import os

Generate encryption key (store this securely!)
key = Fernet.generate_key()
cipher = Fernet(key)

Encrypt TOTP secret before storage
secret = "JBSWY3DPEHPK3PXP..."
encrypted_secret = cipher.encrypt(secret.encode())

Store encrypted_secret in your database

Auditing Active Sessions

After enabling 2FA, audit which devices have active ProtonMail sessions. Any session you do not recognize should be revoked immediately:

  1. Go to Settings → Security → Active sessions
  2. Review each session. the list shows device type, approximate location, and last active time
  3. Click “Revoke” on any unrecognized session
  4. If you see a session from an unexpected location, change your password and rotate your recovery codes

Make session audits part of your regular security routine. monthly is a reasonable interval for most users, weekly if you handle sensitive communications.

Common Pitfalls

Always print and store your recovery codes. losing them can mean permanent lockout. Export your TOTP secrets before switching phones, since changing devices without transferring your authenticator will cut off access. ProtonMail does not support SMS 2FA, which is an advantage given how common SIM swapping attacks are.

Remember that 2FA is just one layer of defense. use strong, unique passwords, keep your recovery information updated, and regularly audit your active sessions.

Enterprise 2FA Configuration

Organizations managing ProtonMail accounts for teams can implement centralized 2FA policies:

Store encrypted TOTP secrets in centralized vault
Distribute via secure channels only

Team secret management with HashiCorp Vault
vault kv put secret/protonmail/team@company.com \
  totp_secret="JBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXP" \
  webauthn_backup_key_id="key-123"

Team members can retrieve for emergency access without exposing the primary authenticator

Hardware Key Backup Strategy

For teams handling sensitive communications, maintain multiple registered keys in different physical locations:

Primary Key - YubiKey 5C (carry with daily credentials)
Backup Key 1 - YubiKey 5NFC (home safe)
Backup Key 2 - Titan Security Key (office safe)

Recovery Codes - Printed, stored in lawyer's office

This multi-layer redundancy ensures that losing one key (lost wallet, stolen bag) doesn’t result in complete account lockout.

Advanced - Custom 2FA Workflows

Power users can build custom 2FA integrations for specialized workflows:

Custom 2FA orchestration for automated processes
import pyotp
import requests
from datetime import datetime

class ProtonMailAutomationAuth:
    def __init__(self, username, password, totp_secret, backup_codes):
        self.username = username
        self.password = password
        self.totp_gen = pyotp.TOTP(totp_secret)
        self.backup_codes = backup_codes
        self.auth_token = None

    def authenticate(self):
        """Authenticate to ProtonMail with 2FA"""
        # Step 1: Initial login attempt
        auth_url = "https://api.protonmail.ch/auth"
        response = requests.post(auth_url, data={
            "Username": self.username,
            "Password": self.password
        })

        # Check if 2FA challenge received
        if response.status_code == 401:
            # Use TOTP code for 2FA
            totp_code = self.totp_gen.now()

            # Submit 2FA verification
            twofa_response = requests.post(f"{auth_url}/2fa", json={
                "two_factor_code": totp_code,
                "token": response.json()["Token"]
            })

            if twofa_response.status_code == 200:
                self.auth_token = twofa_response.json()["access_token"]
                return True

            # Fallback to recovery code if TOTP fails
            recovery_code = self.backup_codes.pop()
            recovery_response = requests.post(f"{auth_url}/2fa", json={
                "recovery_code": recovery_code,
                "token": response.json()["Token"]
            })

            if recovery_response.status_code == 200:
                self.auth_token = recovery_response.json()["access_token"]
                return True

        return False

Usage (not recommended for storing credentials in code)
auth = ProtonMailAutomationAuth(username, password, totp_secret, backup_codes)
if auth.authenticate():
    # Proceed with ProtonMail operations

Session Management and Geographic Anomalies

ProtonMail’s session audit logs can reveal unauthorized access attempts. Regular monitoring is critical:

#!/bin/bash
Script to check for suspicious session activity

Get active sessions via API
sessions=$(curl -s -H "Authorization: Bearer $AUTH_TOKEN" \
  https://api.protonmail.ch/auth/sessions)

Flag sessions from unexpected locations
echo "$sessions" | jq '.Sessions[] |
  select(.CreateTime > now - 604800) |
  {IP: .IP, City: .City, Browser: .Name, Created: .CreateTime}'

Alert if:
- Session from unexpected geographic location
- Multiple simultaneous sessions
- Session from unusual browser/device

Biometric Authentication as Phishing Defense

For highest security, combine ProtonMail’s 2FA with biometric unlocking of your authenticator app:

Set up biometric-protected TOTP on iOS (Raivo)
Set up biometric-protected TOTP on Android (Aegis)

Workflow:
1. User attempts to log in to ProtonMail
2. Prompted for 2FA code
3. Open authenticator app
4. Authenticate with Face ID / Touch ID
5. Retrieve TOTP code
6. Enter into ProtonMail

This prevents:
- Phishing sites capturing TOTP codes (even if opened)
- Malware extracting secrets from authenticator app
- Unauthorized use even if device is stolen and unlocked

Regular Security Audits

Perform monthly 2FA audits:

#!/bin/bash
Monthly 2FA audit checklist

echo "ProtonMail 2FA Security Audit - $(date +%Y-%m-%d)"
echo "================================================"

1. Check active sessions
echo "Active Sessions:"
Would check via API or web interface
echo "- Review each session's location and device"
echo "- Revoke any sessions you don't recognize"

2. Verify backup key registration
echo "Registered Security Keys:"
echo "- Ensure at least 2 keys are registered"
echo "- Verify backup key is stored securely"

3. Check recovery codes
echo "Recovery Codes Status:"
echo "- Verify codes are stored securely"
echo "- Count remaining unused codes"
echo "- Request new codes if fewer than 5 remain"

4. Test recovery mechanisms
echo "Recovery Testing:"
echo "- Test secondary email recovery"
echo "- Verify PGP key recovery works"

echo "Audit complete. Consider rotating secrets if any anomalies detected."

Frequently Asked Questions

Can I use the same authenticator app for ProtonMail and other services? Yes. TOTP is a standard protocol (RFC 6238), and any compliant authenticator app works with any service that supports TOTP. Aegis (Android) and Raivo (iOS) support multiple accounts and offer encrypted backups, making them suitable for managing all your 2FA entries in one place.

What happens if I lose my phone and my recovery codes? Without a recovery code, registered backup key, or secondary email, ProtonMail cannot restore access. This is intentional. ProtonMail’s zero-knowledge architecture means they cannot bypass 2FA on your behalf. This makes the backup setup steps in this guide non-optional. Register a backup hardware key or store recovery codes offline before you need them.

Does ProtonMail 2FA protect against phishing? TOTP provides partial protection. a phishing site that captures your code in real time can relay it within the 30-second window. WebAuthn/FIDO2 provides complete protection because the key’s response is bound to the exact origin domain; a phishing domain gets a response that the real site cannot use.

Can I disable 2FA temporarily if I lose my key? No. Once 2FA is enabled, it cannot be disabled without completing a 2FA challenge or using a recovery code. This is the expected behavior. an attacker who has your password cannot disable 2FA either.

Should I use Authy or Aegis? Aegis is preferred for privacy-conscious users because it is open source, stores secrets locally, and does not require an account. Authy stores encrypted secrets in the cloud, which is convenient for multi-device sync but requires trusting Authy’s infrastructure. Use Aegis with a manual encrypted backup for the most secure configuration. —

Related Articles