Proton signin on simplelogin bypasses 2fa

So I recently connected my proton account to my simplelogin account a couple days ago and I just realized that I haven’t been asked for my totp 2fa code. This kind of feels like a situation where a service gives you a 2fa option and then theres still a 1fa method of logging into the account.

I know I can just turn on 2fa on my proton account and that makes it so its still 2fa for simplelogin so idk if I’m making a bigger deal on it than I should be.

Do you guys think this is a really small thing or do you think simplelogin should make it so you still have to enter the totp 2fa code even if you login with proton?

1 Like

I think that’s a common issue with the “log in with” system. I don’t understand the details, but I think how it works is you log into X, which gives you an Auth token, which because you’ve set it up is also accepted by Y. So Y detects the presence of the token, then just lets you in. While normally the token would only be issued after the 2FA has been passed, this bypasses that system unless X has a 2FA system.

So, basically, the “log in with” system is a potential weakness in any system, so if you’re really worried about that potential hole then I’d advise against using it. Or use 2FA on the issuing system (in this case, Proton).

1 Like