Yubikeys are one of the few forms of 2FA that are highly resilient to being phished. Google has not only an option to restrict SMS 2FA, but an additional one below to restrict “all 2FA options except security keys” in GSuite.
It has been known for some time that TOTP 6 digit codes are easy to intercept. SMS Codes can also be intercepted, or gained via SSB7 vulns/ SIM jacking. This made things like Google Authenticator or Authy more resilient but certainly still quite vulnerable.
To intercept and exploit MFA in ProtonMail would absolutely trivial for a skilled single person to do. DNS poisoning + this github library would be all you needed: https://github.com/kgretzky/evilginx2
That does not really answer my question. Why does missing support for Yubikeys "suggest [that] something very very scary going on at the organization"? Supporting Yubikeys is probably already in their list of planned features. But ProtonMail is a relatively small company and the user base requesting that feature might be relatively small. Yes, security is one of their top-most priorities but so is earning money. The latter requires a large paying audience where other features might be more important.
It’s such an oversight that to quote someone from early 20th century ... “is this stupidity or is this treason”.
Not doing this was a deliberate choice. The benefits of implementing it outweigh at maybe a dozen orders of magnitude not implementing it.
The very scary thing btw is simple. They were bribed the same way the WordPress Core Contributors have been for years.
Let me discuss this quickly, and I’m happy to name names in a separate posting (Gary Pendergast out of Australia is going to jail though along with another America dev). That being said please review this discussion where several core contributors admit to not even reading an extremely important path from arguably one of the best PHP developers in the world (certainly in terms of security): https://core.trac.wordpress.org/ticket/39309
It has been known for some time that TOTP 6 digit codes are easy to intercept. SMS Codes can also be intercepted, or gained via SSB7 vulns/ SIM jacking. This made things like Google Authenticator or Authy more resilient but certainly still quite vulnerable.
To intercept and exploit MFA in ProtonMail would absolutely trivial for a skilled single person to do. DNS poisoning + this github library would be all you needed: https://github.com/kgretzky/evilginx2
EDIT: replaced quotemark with asterisk