* Allow U2F hardware keys as a method * Allow to configure multiple independent methods (e.g. OTP + three U2F keys), just like Github does.
FIDO2/WebAuthn has largely superseded U2F, so I'd suggest looking into that instead. It's more widely supported at this point. For example, on Windows devices with a TPM + Windows Hello, Windows Hello can be used to authenticate with FIDO2.
I'll add the text of the multi-factor authentication setup screen here to make this suggestion easier to find: . Two-Step Verification Change Password Turn Password Off Change Recovery Email You have enabled Two-Step verification. You'll need the password you set up here to log in to your Telegram account.
I would go even further to provide an option of replacing SMS codes with 2FA authenticator app (e.g. Aegis) altogether. This would improve account security drastically.
Telegram is positioned as a secure messenger. But the lack of digital 2FA is a HUGE glaring hole in that image!
Over the years Telegram has had several security-related issues and scandals. Most of them were bogus and the ones that weren't - were fixed. With the notable exception of the SMS issue.
The problem would have been totally fixed by supporting the digital 2FA solution as Authy or Google Authenticator provide.
After that Telegram took implemented the double authentication using a password. Unfortunately typing the manual password is not a solution - it's a weak band-aid that doesn't solve the problem and can/will leak any time.
Why are manually remembered passwords bad? 1. Password needs to be sent quickly. So it's short. This is bad. 2. Password needs to be remembered. A simple and easy-to-remember password it a bad password. 3. If the password needs to be remembered, it is usually not unique and is being used elsewhere as well, involving yet another risk factor.