Updated 10/6/2025
I purchased a Yubico "Security Key NFC (USB-A)" to use with Proton Mail. According to reference [2], this device is compatible with Proton Mail. However, to install it on Proton Mail, you first have to enable Two Factor Authentication (2FA), which requires a device with OATH-TOTP (Time-base One Time Password) [1], and this device is not comptable with OATH-TOTP [3] (catch 22).
This is probably the reason that 2FA has already been enabled in Yubico's instructional video on setting up with Proton Mail.What Yubico does not inform you of is that instead of purchasing their 5 series key, which is OATH-TOTP compatible, at twice the price, you can use third party software to get the six-digit OATH-TOTP code that enables 2FA on Proton Mail.
I used oathtool [4,5,6], but many others are available [7].
To install oathtool on Debian and it derivates [4]:
sudo apt install oathtool
After it is installed, follow the instructions in reference [8] and below:
Go to your Proton account, click on the "Setting Icon" then "All settings" then "Account and password", then "Authenticator app"
After entering your Proton password, you will see a QR code. Choose the option "Enter key manually instead". Copy the code to your clip board and enter it when you when you run the oathtool below [4]:
Open a terminal window and enter the following:
oathtool -b --totp 'Code_from_Proton'
Where 'Code_from Proton' should be what you copied to your clip board.
This will produce a six-digit code that you will enter into Proton to enable 2FA.
Go back to Proton Mail. Hit "next" and enter the six-digit code and hit "Submit".
This will produce 16 backup codes for getting into your Proton Account without your hardware security key. Be sure to hit the "download" button. This will save the codes as plain text in your download directory. You will use one of them in setting up your Yubico key. Each code can only be used once.
You have now successfully set up Proton's 2FA.
Now, to set up Yubico's Security key follow the instruction in reference [9] and below:
Click on "Secure Key", it will again prompt you for your password. Hitting "continue" will again prompt you for a TOTP code. Choose the option, use one of your backup codes, and enter one of your 10 backup codes.
The rest of the instructions are straight forward.
My hope is that this saves you the frustrations that I went through as a first-time user of a yubico security key.
You would think that identity authentication would be of supreme importance in transactions that involve the transfer of money. However, as of August 2025, the retail giant Amazon does not support identity authentication via FDIO2/WebAuthn [1]. Currently, I am unable to determine if Amazon supports OATH-TOTP. However, there is hope. Amazon Web Service (AWS) does support it. eBay is rolling out support, but not every user has it. Financial institutions such as banks, stockbrokers (Charles Schwab) and others do not support FDIO2/WebAuthn [1].
Fast ID Online (FIDO) [2]
The main backers in the FDIO Alliance are Google, Microsoft and Apple [3,4].
On the positive side, the UK Government has jointed the FDIO Alliance. By the end of 2025, all UK Government services are expected to switch from passwords to passkeys [5,6].
