Two-Factor Authentication Is Not a Silver Bullet
Two-factor authentication (2FA) reduces account takeover risk substantially. Microsoft's own telemetry has indicated that enabling MFA blocks over 99% of automated credential-stuffing attacks. That figure gets cited constantly — and for good reason. But the headline statistic obscures a messier reality: not all 2FA implementations are equally secure, and the authenticator app sitting on an employee's phone can itself become an attack surface. Proton recently launched Proton Authenticator, a free, open-source time-based one-time password (TOTP) app available on Windows, macOS, Linux, iOS, and Android. It generates the six-digit codes used to verify identity at login — the same mechanism underpinning Google Authenticator, Microsoft Authenticator, and Authy. What distinguishes Proton's offering is its architecture: end-to-end encrypted sync, no advertising, no tracking, and a publicly auditable codebase. A Proton account is optional and only required if you want codes to sync across devices. For individual users, this is welcome news. For businesses evaluating their identity security posture, it raises a broader question worth examining properly: what actually separates a secure authenticator from a liability?
What Is TOTP and How Does Proton Authenticator Work?
TOTP stands for Time-Based One-Time Password. It is a standardised algorithm (RFC 6238) that combines a shared secret key with the current Unix timestamp to generate a short numeric code that expires every 30 seconds. When you scan a QR code during 2FA setup, you are transferring that shared secret into your authenticator app. From that point forward, both your app and the service's server independently generate the same code at the same moment — if they match, authentication succeeds. Proton Authenticator works on this same principle. Setup involves installing the app, scanning the QR code presented by whichever service you are securing, and the app begins generating time-synced codes immediately. No account is required for local-only use. If a user wants codes accessible across multiple devices, they can create a free Proton account to enable encrypted sync — Proton's architecture means even Proton itself cannot read the synced data. The open-source aspect matters here. Because the code is publicly available for inspection, independent security researchers can verify that the app does what it claims. Closed-source authenticators ask users to trust the developer's word alone.
Why the Authenticator App Itself Can Be a Threat Vector
The security community spent years convincing organisations to adopt 2FA. The next conversation — one that is arriving faster than many IT teams are ready for — is about the integrity of the 2FA layer itself. Consider the threat model. An attacker who compromises your authenticator app does not need your password. They already have everything they need. This is not theoretical. In 2022, LastPass suffered a breach in which the threat actor targeted a senior engineer's home computer and compromised their corporate vault credentials. The attack vector was the endpoint, not the perimeter. Authenticator apps stored on compromised devices face the same exposure. Beyond device compromise, there are structural risks in how authenticator apps handle data: Cloud sync without end-to-end encryption means your TOTP secrets may be readable by the app vendor, or exposed in a vendor breach. Several popular authenticators historically stored backup data in plaintext or with server-side encryption only — meaning the vendor held the decryption key. Closed-source code prevents independent verification of security claims. An app can assert it does not track users or log secrets without any mechanism for external validation. Permission overreach is common in mobile authenticator apps. An authenticator needs no access to your contacts, location, or microphone — yet some request these permissions. For businesses, the practical risk is this: an employee using a poorly architected authenticator is one compromised phone away from full account exposure, regardless of whether that account has 2FA enabled.
What Businesses Should Actually Evaluate in a 2FA Solution
Individual authenticator apps like Proton Authenticator serve personal use cases well. For organisations, the evaluation criteria expand significantly. First, TOTP is not the ceiling of MFA security. It is a baseline. SMS-based 2FA is weaker still — SIM-swapping attacks have been used to bypass SMS codes in targeted attacks against high-value accounts, including executives and finance personnel. TOTP apps represent a meaningful step up. Hardware security keys (FIDO2/WebAuthn) represent the current gold standard for phishing-resistant authentication — they cannot be intercepted by a man-in-the-middle attack in the way TOTP codes can. Second, centralised identity management matters at scale. Individual authenticator apps work for individuals managing their own accounts. In an enterprise environment, you need visibility into which accounts have MFA enabled, which do not, and who is accessing what from where. That requires integration with your identity provider, not a standalone app. Third, MFA fatigue attacks are a documented threat. Attackers bombard users with repeated authentication push requests, betting that the user will eventually approve one to stop the interruptions. Microsoft's identity team documented this technique being used by Lapsus$ in 2022. The defence is number-matching or context-aware authentication — features that basic TOTP apps do not provide. Fourth, 2FA alone does not protect against all credential theft vectors. An attacker who steals a session cookie after successful authentication bypasses MFA entirely. This is how many modern phishing toolkits operate — frameworks like Evilginx act as a reverse proxy, forwarding credentials and MFA codes in real time while simultaneously harvesting the authenticated session token. Your 2FA was technically successful. The attacker still got in.
The Bigger Picture: Identity Is Now the Primary Attack Surface
Verizon's 2024 Data Breach Investigations Report found that credentials remain the most common entry point in confirmed breaches. Over 80% of hacking-related breaches involved stolen or brute-forced credentials. These figures have been consistent for several years running. The shift in attacker behaviour reflects where defences have concentrated. Perimeter security has improved. Endpoint detection has matured. So attackers have moved up the stack, targeting identity because it is the path of least resistance. A valid set of credentials — particularly those belonging to a privileged account — grants an attacker legitimate-looking access that many security tools will not flag as anomalous. This is why identity security cannot be reduced to 'has the user got 2FA turned on.' It requires understanding the full authentication chain: how credentials are stored, how sessions are managed, whether phishing-resistant authentication is in place for high-risk roles, and whether suspicious authentication events are being monitored in near-real time. For UK businesses in particular, the ICO has made clear that inadequate access controls constitute a failure of appropriate technical measures under UK GDPR. A breach resulting from weak or absent MFA is not just a security failure — it carries regulatory exposure. The same principle applies in New Zealand under the Privacy Act 2020, where organisations are expected to implement reasonable security safeguards proportionate to the sensitivity of the data they hold.
How Proton Authenticator Fits Into a Broader Security Strategy
For individuals, IT staff managing personal accounts, or small teams without a centralised identity provider, Proton Authenticator represents a well-architected choice. The end-to-end encrypted sync addresses one of the most legitimate criticisms of cloud-backed authenticators. The open-source codebase allows for external scrutiny. The absence of advertising and tracking removes incentives that have historically led app developers to monetise user data in ways that conflict with security. That said, it is a point solution. It secures TOTP generation for the accounts it is configured to protect. It does not provide visibility across an organisation, enforce MFA policies, detect anomalous authentication behaviour, or protect against session hijacking. For organisations, Proton Authenticator is a sensible component within a defence-in-depth strategy — particularly relevant for employees who want a trustworthy personal authenticator for non-corporate accounts. It should not be mistaken for an enterprise identity solution. The key takeaway is that 2FA app choice matters, but it is one decision within a much larger identity security architecture. Choosing an app with strong privacy properties is a good decision. Building an organisation-wide identity security programme requires considerably more.
Strengthen Your Identity Security Posture
If your organisation is evaluating its authentication and identity security, the authenticator app is the least of your concerns. The more pressing questions are: which accounts lack MFA entirely, whether your email and cloud platforms are protected against credential-based attacks, and whether your security operations team has the visibility to detect suspicious login behaviour before it becomes a breach. Coro's unified security platform, which Kyanite Blue deploys for UK businesses, provides exactly this kind of visibility across email, endpoints, and cloud applications. Coro can identify accounts without MFA, flag suspicious sign-in events, and protect against the email-based phishing attacks that are most commonly used to harvest credentials in the first place. For UK organisations concerned about credential theft and account takeover, Coro closes the gap between having 2FA turned on in principle and knowing it is actually working as intended. Find out more about Coro at /products/coro. For businesses in New Zealand and Australasia, ESET's enterprise endpoint protection provides strong credential and identity threat detection at the endpoint level, catching the malware and keyloggers that compromise the devices where authenticator apps live. See the ESET offering at /products/eset. If you want to understand your organisation's current exposure to credential theft and account takeover, start with a free security assessment. Our team at Kyanite Blue Labs can identify the gaps in your authentication architecture and recommend targeted improvements — without a sales agenda attached. Get in touch at /contact or run a quick self-assessment at /igaming-checker.
Protect Your Business
The threats described in this article are real and ongoing. Kyanite Blue provides the security solutions that prevent these attacks — from endpoint protection to data exfiltration prevention.
Frequently Asked Questions
Is Proton Authenticator safe to use for business accounts?
Proton Authenticator is a well-architected TOTP app with end-to-end encrypted sync and an open-source codebase, making it a trustworthy choice for individuals and IT staff managing personal or low-risk accounts. For corporate accounts requiring centralised MFA policy enforcement, visibility, and anomaly detection, a dedicated enterprise identity solution integrated with your identity provider is more appropriate.
Can 2FA be bypassed by attackers?
Yes. TOTP-based 2FA can be bypassed through real-time phishing proxies (such as Evilginx) that intercept codes as they are entered, through MFA fatigue attacks that trick users into approving fraudulent push requests, or through session cookie theft after a successful authentication. Phishing-resistant hardware keys using FIDO2/WebAuthn are the most reliable defence against these techniques.
What is the difference between TOTP and push-based MFA?
TOTP (Time-Based One-Time Password) generates a short numeric code in an authenticator app that expires every 30 seconds. Push-based MFA sends a notification to a mobile device asking the user to approve or deny a login attempt. TOTP is generally considered more secure against MFA fatigue attacks, though neither method is as phishing-resistant as hardware security keys using the FIDO2 standard.