Proton Authenticator: Don't you want diversification?
© Annie Spratt

Proton Authenticator: Don't you want diversification?

When Proton released its new authenticator in July 2025 I had mixed feelings about that. A new authenticator app although there is a bunch of viable, secure and privacy-respecting as well as well-maintained alternatives.
When did you as an ordinary user trusted all your secrets, mail, vpn, password, 2FA and so on, to one company and what happened next?

Just upfront, I do not have anything personally or technically against Proton Authenticator. It is way newer and maintained than the old Twilio Authy some people using. But the there is something more to this.
There is an English saying: Don’t put all your eggs in one basket. That applies to investments aka diversification, as well as it applies relying solely on one company with your communication and secrets.

Last time most of trusted one company with all their digital life belongings that was probably Google. We had mail there, our calenders, we shared private stuff on Google+ - Google+, can you remember? - then there is Google Authenticator and Search, Youtube, etc. Effectively your digital life was on Google. You created a vendor lock-in yourself.

And now we want to do the vendor lock-in again and think it will be different?

There might be people saying that this time things are different. Proton is based in Europe. Argh, no they are not. Proton is based in Switzerland and that is not inside the European Union. Furthermore everything is encrypted and Proton knows shit what is inside your communication, people say. Well, in 2019 it turned out Proton lied about logging1. Your trust your digital guts to Proton - I mean using a VPN for privacy reasons, or using encrypted email, or a password manager and then they hand over logs, metadata and more. Not the nicest move. Let us just keep it with that.

Wouldn’t you be better of to diversify your tools to different provider, different countries and jurisdictions and maybe also self-hosting some of them?

You do not want to create SPOF for your communication and secure data, so do not do that by just using one provider for everything.

  1. French climate activist was arrested to Swiss authorities based on Proton logs
    https://arstechnica.com/information-technology/2021/09/privacy-focused-protonmail-provided-a-users-ip-address-to-authorities/ ↩︎

This post was created on .
100DaysToOffload proton 2fa totp authentication