The problem would have been totally fixed by supporting the digital 2FA solution as Authy or Google Authenticator provide.
After that Telegram took implemented the double authentication using a password. Unfortunately typing the manual password is not a solution - it's a weak band-aid that doesn't solve the problem and can/will leak any time.
Why are manually remembered passwords bad? 1. Password needs to be sent quickly. So it's short. This is bad. 2. Password needs to be remembered. A simple and easy-to-remember password it a bad password. 3. If the password needs to be remembered, it is usually not unique and is being used elsewhere as well, involving yet another risk factor.
Therefore the perfect solution is to: 1. Generate long and unique passwords for each site. 2. Put all those passwords in the password manager. 3. Generate one long and unique password that is used only to open the password manager vault. Remember this password. 4. In addition, use a solid (non-SMS) 2FA method of authentication: 4a) either a physical key (not much use, currently) 4b) or a digital 2FA (basically the phone is being used as a physical key, with constantly changing passwords that the user doesn't have to remember)
I have been recommending Telegram to people from the very beginning (2013) on the basis of functionality. But I can't force myself to promote Telegram on the basis of security; and the lack of digital 2FA is the only technical problem I am having.
What is implementing the digital 2FA is about at its core?: 1. Walking the talk. Adhere to the mission statement and marketing ("secure messenger"). 2. Increasing the security. 3. Decreasing the expenses. According to the latest financial news, Telegram wants to get more money invested in it, of which a whopping 25% will go to user verification fees (SMS, calls)! Decreasing this group of expenses even a little bit would mean a lot of money. 4. Making Telegram user-friendlier. Being secure and easy to use (easier than currently) is possible!
So what needs to be technically done? 0. No need to get rid of the SMS functionality. It might be ok for some non-technical people. 1. Implement the digital 2FA like Authy or Google Authenticator. 2. This is super-important! Make a setting where one could choose the allowed and forbidden types of authentication. So security-minded people could turn the SMS option off altogether and make it impossible for baddies to force the sending of the authentication code via insecure SMS and its capture. Without this setting, implementing digital 2FA would not solve the core problem.
Yes, but just because you can log in via a Telegram Code, doesn't mean you have to. The attacker could get access to your SIM card, and select an option to get the code via an SMS message and not Telegram, and get access to your account. Look at the screenshot (from Telegram X), tapping the "Haven't received the code?" button will send the code via SMS.
The only solution is to get rid of phone numbers. the way iMessage allows you to de-register your number completely and use only an email address