To be clear there are MFA solutions that are less susceptible to easy phishing, such as FIDO (Fast Identity Online), but they are not as widely deployed as the solutions that are more susceptible.Legal: This website is operated by XM Global Limited with registered address at Suite 404, The Matalon, Coney Drive, Belize City, Belize. There are no published figures on this, but I bet that over 90% of all MFA is susceptible to easy phishing. government is telling its agencies, and really, the whole world, “Stop using any MFA solution that is overly susceptible to phishing, including SMS-based, voice calls, one-time passwords (OTP) and push notifications!” This describes the vast majority of MFA used today. In a related clarifying follow up memo ( ) it states, “For routine self-service access by agency staff, contractors and partners, agency systems must discontinue support for authentication methods that fail to resist phishing, such as protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications. President Biden’s recent executive order (EO 14028), among many things, asked all agencies to develop zero trust architectures, which most security experts welcomed. Roger Grimes, with videos form Kevin Mitnick, answer the question: Why Is the Majority of Our MFA So Phishable? This post is currently awaiting approval by the moderators of r/ProtonMail before it can appear in the subreddit. You judge whether they are engaging in heavy-handed moderation. And I'd already opened a case with my InfoSec team, anyway.įollowing on from this discussion, which seems to have inspired the creation of this new community, here's a copy of a post on r/ProtonMail from 7 months ago that is still awaiting approval.
#PROTON EMAIL TECH SUPPORT MOD#
I do thank /u/Nelizea, the r/ProtonMail mod who attempted to help me while not approving my post, but shoving a world-wide problem with a major malware protection service back onto the shoulders of an individual user so we can play whack-a-mole with our individual InfoSec departments is not a good solution. I will add, if this post fails to meet the standards for content on r/ProtonMail, what good is that sub? I would have reached out to Proton's customer support team directly, but I couldn't because the domain is blocked. I can live without their VPN service, but I need access to email. Proton should allow their customers who utilize email to continue to still access it with. This impacts any organization that blocks users from the Personal VPN category.īecause now forwards to, all the other products get caught up in that category. The linkage of all Proton products under one domain,, means that Umbrella/OpenDNS now categorizes as Personal VPN instead of email. It would be ideal if Proton would stop forwarding (which is not blocked) to (which is) until the dust settles and big InfoSec figures out the new, weird domain isn't bullshit.įurther information I've found since then: This is one of the major enterprise malware prevention providers and I imagine the block will impact a lot of people who need to access their personal email on networks and/or devices managed by others. Submit all bug reports as per the procedure/button here: ĮDIT: STATUS 6/9/22: Protonmail has confirmed that it has reproduced the "inaccurate sent version" issue and has opened an internal ticket on this. Please know this bug exists and is not being addressed. Present Status: Protonmail REFUSES to open a bug on this because it does not happen every time. I sent screenshots of both to Proton with affected sections clearly noted. However, an INACCURATE version of that email remains in the Sent folder. Below that response is shown the ACCURATE version of my email (including the last 2mins of changes). Issue: The last couple minutes of edits (last 2 minutes approx) are NOT reflected on the email retained in Sent.īug evidence: Later, an email response came back. My original post in r/protonmail was not published timely (and also was a bit disorganized) so I'm posting this here for clarity and also to try to get traction so that Proton will at least open this as a known bug.ĭraft email underwent about 30 minutes of edits in web client before sending.