Part IV of our Proton series: VPN, password manager, and authenticator that actually protect you

This is the fourth article in a series based on our book, The Complete Guide to Proton Services: A Technical Overview. In Part I, we covered Proton's foundation. In Part II, we looked at Mail, Calendar, and Meet. In Part III, we covered Drive, Docs, and Sheets. Now we're tackling the security layer: VPN, Pass, and Authenticator.

Your ISP sees every website you visit. Your password manager might be storing credentials in a way its own employees can access. Your 2FA app lives on a phone you could lose tomorrow — and with it, access to everything.

Part IV of the Proton stack — Proton VPN, Proton Pass, and Proton Authenticator — addresses all three. Same zero-access architecture. Same Swiss jurisdiction. Same open source verification. But applied to your connection, your credentials, and your second factors.

Here's how it works.

Proton VPN: Your ISP Shouldn't Know Where You Go

Your internet service provider sees your traffic. Every domain, every request, every byte. They can — and many do — sell that data, use it for targeted advertising, or hand it over when asked. A VPN encrypts the pipe. Your ISP sees encrypted traffic to a VPN server. That's it.

Proton VPN does that, and then some.

How it works

All traffic between your device and Proton's VPN servers is encrypted. WireGuard (fast, modern), OpenVPN (battle-tested), or IKEv2 (mobile-friendly) — your choice. Perfect forward secrecy means a compromised session key doesn't expose past traffic.

What your ISP sees: Encrypted tunnel to a Proton VPN server. They can't tell whether you're checking email, streaming, or browsing. They can't see domains, can't build a profile, can't sell your data.

What Proton sees: Connection metadata for troubleshooting — but they maintain a strict no-logs policy, verified by independent audits. No browsing history. No IP logging. No data retention. Swiss jurisdiction means they're outside Five Eyes and similar intelligence-sharing arrangements.

The features that matter

• Kill switch — VPN drops? Your internet drops. No leak of your real IP. Essential on public Wi-Fi.
• DNS leak protection — DNS queries go through Proton's servers, encrypted. Your ISP doesn't see what you're looking up.
• Secure Core — Multi-hop routing through Switzerland, Iceland, or Sweden first, then to your destination. Extra layer for high-risk scenarios. Slower, but harder to trace.
• Tor over VPN — Route through the Tor network for maximum anonymity. Access .onion sites. One click.
• Split tunneling — Route only specific apps through the VPN. Keep local network access for printers, NAS, smart home. Or exclude bandwidth-heavy apps from the VPN.
• 70+ countries — Servers optimized for streaming, P2P, or just raw speed.

Who this is for

• Remote workers on coffee shop Wi-Fi — encrypt everything, kill switch as insurance
• Journalists and activists in surveilled environments — Secure Core, Tor over VPN
• Privacy-conscious users tired of ISP data harvesting
• Travelers bypassing geo-restrictions or censorship

Expert tip: When to use Secure Core (and when not to)

Secure Core routes your traffic through a privacy-friendly country (Switzerland, Iceland, Sweden) before it reaches your destination server. Two hops instead of one. Proton's first server never sees your real IP; the destination server never sees your real IP. It's the strongest option for anonymity.

Use Secure Core when:

• You're in a high-surveillance environment (repressive regime, corporate espionage risk)
• You're accessing sensitive sources or uploading sensitive content
• You're on an untrusted network and the stakes are high
• You're doing anything where connection metadata could identify you

Skip Secure Core when:

• You're just protecting your browsing from your ISP — standard VPN is enough
• You need maximum speed — Secure Core adds latency
• You're streaming or gaming — the extra hop can hurt performance
• You're on a trusted home network and just want basic encryption

The rule of thumb: Secure Core for threat model, standard VPN for convenience. Most daily use doesn't need Secure Core. But when you do — journalism, activism, legal work, whistleblowing — it's there. One of us uses standard VPN for routine browsing and flips to Secure Core when accessing work systems from travel or when the network is sketchy. Know your threat model. Match the tool.

Proton Pass: Your Passwords, Sealed Shut

If your password manager can see your passwords, so can anyone who compromises that company. Most password managers hold the keys. Proton Pass doesn't. Zero-access architecture: your master password never leaves your device. Passwords are encrypted before sync. Proton's servers store ciphertext. They cannot decrypt it. Ever.

How it works

1. You create a master password (or use your Proton account password)
2. Keys are derived on your device
3. Every password, note, and credential is encrypted locally before upload
4. Sync happens with encrypted blobs only
5. Decryption happens only on your device, when you need it

AES-256. Same standards as the rest of the Proton stack. Open source. Auditable.

The features that make it livable

• Password generator — Cryptographically secure, customizable length and character sets. Pronounceable or random. Integrated into the extension and apps.
• Auto-fill — Browser extension and mobile apps. Detects login forms, one-click fill. No typing passwords into phishing sites.
• Breach alerts — Monitors Have I Been Pwned and similar. Alerts when an account is in a known breach. Change the password before attackers use it.
• Secure notes — API keys, recovery codes, anything sensitive. Encrypted like passwords.
• Credit cards and identities — Store and auto-fill. Same encryption.
• 2FA storage — TOTP codes in Pass or in Proton Authenticator. Your choice.
• Cross-device sync — Web, desktop, mobile, browser extension. All encrypted. All in sync.

Who this is for

• Anyone with more than five accounts — Unique passwords per site, no reuse
• Teams — Proton Pass for Business with shared vaults, permissions, audit logs
• Privacy advocates — Passwords that even the password manager can't read

Expert tip: The breach alert blind spot

Proton Pass's breach alerts are powerful — they check your saved logins against known breach databases and notify you when something's compromised. But here's the catch: they only monitor accounts you've already added to Pass.

If you're migrating from another password manager, or if you have accounts you haven't imported yet, those accounts are invisible to breach monitoring. A compromised account you never added won't trigger an alert.

What to do:

• Import everything first. When you migrate to Proton Pass, import your full vault. Don't leave accounts in the old manager "for later." Every account you delay is a gap in breach coverage.
• Audit your existing accounts. Before relying on breach alerts, run a manual check: export from your old manager, compare against Have I Been Pwned (haveibeenpwned.com) if you're comfortable, then import the ones that need new passwords.
• Add accounts as you create them. New service? Add it to Pass immediately. Don't let "I'll add it later" become a habit. Later never comes, and that's when breaches happen.
• Use the password health dashboard. Proton Pass shows weak, reused, and compromised passwords. Run it after import. Fix everything it flags. Then breach alerts become your ongoing early warning system.

One of us migrated from another manager and discovered three breached accounts that had never been added to the new vault — they were still in the old app, unmonitored. The breach had happened months earlier. The fix: full import, health check, password changes. Don't assume "I'll add the important ones" is enough. Add everything.

Proton Authenticator: 2FA That Survives a Lost Phone

Traditional authenticator apps store 2FA codes on your phone. Lose the phone, lose the codes. Lose access to every account that required 2FA. Game over.

Proton Authenticator backs up your 2FA secrets — encrypted. Syncs across devices. You can restore on a new phone. But the backup is encrypted with your Proton password. Proton can't read it. You're the only one who can restore.

How it works

• TOTP standard — RFC 6238. Works with Google, Microsoft, GitHub, banks, everything that supports authenticator apps.
• QR code or manual entry — Add accounts the usual way.
• Encrypted backup — Secrets encrypted on device, synced to Proton's servers. Ciphertext only. Keys derived from your password.
• Cross-device — Add on phone, use on tablet. Lose phone, restore on new device. Same codes, same accounts.
• Proton Pass integration — 2FA codes can live in Pass or Authenticator. Unified credential management if you want it.

Who this is for

• Anyone using 2FA — Which should be everyone for email, banking, and critical accounts
• People who've lost a phone and learned the hard way — Backup is the feature
• Proton Pass users — Keep passwords and 2FA in one ecosystem, both encrypted

Expert tip: Test your backup before you need it

Proton Authenticator's backup is encrypted with your Proton account password. If you lose your phone, you restore on a new device by logging into Proton and re-adding Authenticator — your codes come back from the encrypted backup. Beautiful. If you know your password and if the backup actually works.

Here's the problem: Most people never test restore until they're in crisis. Phone gone. Panic. "Does this actually work?" Maybe. Maybe not. Maybe you typo'd something during setup. Maybe the backup failed silently. You don't want to find out when you're locked out of your bank.

What to do:

• Restore to a second device now. Install Proton Authenticator on a tablet or old phone. Log in with your Proton account. Your 2FA codes should sync. Verify you can generate codes for a few critical accounts (email, bank). If it works, you know the backup is good. If it doesn't, fix it before you lose your primary device.
• Know your Proton recovery options. If you forget your Proton password, you lose access to Authenticator backup. Make sure you have Proton's recovery methods set up — recovery phrase, recovery email, whatever they offer. Test that too. Your 2FA backup is only as recoverable as your Proton account.
• Don't put all 2FA in one basket for critical accounts. For your most important account (usually email), consider a backup 2FA method — recovery codes printed and stored securely, or a second authenticator app on a different device. Proton Authenticator's backup is excellent, but defense in depth means not relying on a single recovery path.

A colleague once lost his phone with no backup. He had 2FA on his email. No backup codes. No second device. Account recovery took weeks of support tickets. He now uses Proton Authenticator, has tested restore twice, and keeps printed recovery codes for his email in a safe. Paranoia? Or the right amount of caution. You decide — after you've tested restore.

The Stack in Practice

Here's what this looks like when you put all three together:

Morning. You open your laptop at a coffee shop. Proton VPN auto-connects. Kill switch on. Your ISP sees a tunnel to Proton; they see nothing else. You log into work. Proton Pass fills the credentials. Proton Authenticator provides the 2FA code. All of it encrypted. All of it private.

Afternoon. You get a breach alert from Proton Pass. A shopping site you used years ago was compromised. You change the password — Pass generates a new one, saves it, done. Two minutes. Before an attacker could use the leak.

Evening. Your phone dies. Completely. You grab a backup device. Install Proton Authenticator. Log in with your Proton account. Your 2FA codes sync. You're back in. No support tickets. No lost accounts.

That's a full security layer — connection, credentials, second factors — without a single provider reading a single secret.

The Honest Trade-offs

• VPN adds latency — Encrypted routing has a cost. Usually minimal. Sometimes noticeable. For most use, it's worth it.
• Password manager migration is work — Export, import, verify. Plan an hour. Do it once.
• Proton account = single point of failure — Lose your Proton password, lose Pass and Authenticator backup. Recovery phrase. Second factor. No shortcuts.
• Authenticator backup depends on Proton — If Proton had a prolonged outage during a device loss, restore could be delayed. Unlikely, but possible. Printed recovery codes for critical accounts are the hedge.

These are real constraints. They're also the cost of not letting your ISP, your password manager, or your phone vendor own your security.

What's Next

This article covered Proton's security and privacy services: VPN, Pass, and Authenticator. Next up in Part V, we'll look at Proton Wallet — self-custodial Bitcoin with privacy built in.

If you want the full picture now — all 26 chapters, every service, every migration path, every technical deep dive — the book covers everything:

The Complete Guide to Proton Services: A Technical Overview — available on Kindle →

Your connection, your passwords, and your 2FA don't need to be someone else's data.

Previously in this series:

• Part I: Why Your Inbox Shouldn't Double as Someone Else's Product — An introduction to Proton's privacy model, encryption architecture, and Swiss legal framework
• Part II: Your Email, Calendar, and Video Calls Are Leaking — Here's the Fix — Proton Mail, Calendar, and Meet
• Part III: Your Cloud Storage Is a Window Into Your Life — Here's How to Close It — Proton Drive, Docs, and Sheets

Robert Bogart and Scott Haggard are experienced security professionals and the authors of The Complete Guide to Proton Services: A Technical Overview, available on Kindle Direct Publishing.

Disclaimer: The authors are independent security professionals and are not employed by, endorsed by, or affiliated with Proton AG. They have not received payment or compensation from Proton for this work and are not in contact with Proton regarding this publication. One author uses a Proton Visionary account and the other uses a Proton free account; both are regular users of Proton services. All opinions and analysis are based on publicly available documentation and the authors' independent research.