Proton Authenticator logs full TOTP secrets in plaintext

anonymous383 · August 4, 2025, 7:41pm

mods on r/privacy removed the post

reply from Proton team:

Thanks for reporting this, this is an oversight in our iOS app, it should only log the entry ID and not the secret (this is the way it is done in our Android app). This will be changed in the next version of the app.
This is fixed in 1.1.1, which is live on the App Store

faxe · August 4, 2025, 7:46pm

Already discussed here

anonymous383 · August 4, 2025, 7:53pm

the links post is now removed in the thread u linked, mine contains archive, mods here can merge post if they want, but needs to raise awareness in separate thread so people can update.

KevPham · August 4, 2025, 9:07pm

A post was merged into an existing topic: Introducing Proton Authenticator: Secure 2FA, your way

Topic		Replies	Views
Ente Auth vs Proton Authenticator — unclear points about local backup encryption Questions software	17	1889	November 7, 2025
The Proton Authenticator security model General	0	396	October 29, 2025
Are you all using proton stuff? Can we trust to register your entire private life to them? Questions	49	5568	November 19, 2025
Proton Launches Beta Access for Proton Pass CLI News	0	139	November 25, 2025
Why not use a 2FA authenticator who sync to a third-party cloud sync/backup service? Questions	3	680	December 1, 2025

Proton Authenticator logs full TOTP secrets in plaintext

Related topics