* Allow U2F hardware keys as a method * Allow to configure multiple independent methods (e.g. OTP + three U2F keys), just like Github does.
FIDO2/WebAuthn has largely superseded U2F, so I'd suggest looking into that instead. It's more widely supported at this point. For example, on Windows devices with a TPM + Windows Hello, Windows Hello can be used to authenticate with FIDO2.
I'll add the text of the multi-factor authentication setup screen here to make this suggestion easier to find: . Two-Step Verification Change Password Turn Password Off Change Recovery Email You have enabled Two-Step verification. You'll need the password you set up here to log in to your Telegram account.
I would go even further to provide an option of replacing SMS codes with 2FA authenticator app (e.g. Aegis) altogether. This would improve account security drastically.
Telegram is positioned as a secure messenger. But the lack of digital 2FA is a HUGE glaring hole in that image!
Over the years Telegram has had several security-related issues and scandals. Most of them were bogus and the ones that weren't - were fixed. With the notable exception of the SMS issue.
The problem would have been totally fixed by supporting the digital 2FA solution as Authy or Google Authenticator provide.
After that Telegram took implemented the double authentication using a password. Unfortunately typing the manual password is not a solution - it's a weak band-aid that doesn't solve the problem and can/will leak any time.
Why are manually remembered passwords bad? 1. Password needs to be sent quickly. So it's short. This is bad. 2. Password needs to be remembered. A simple and easy-to-remember password it a bad password. 3. If the password needs to be remembered, it is usually not unique and is being used elsewhere as well, involving yet another risk factor.
Therefore the perfect solution is to: 1. Generate long and unique passwords for each site. 2. Put all those passwords in the password manager. 3. Generate one long and unique password that is used only to open the password manager vault. Remember this password. 4. In addition, use a solid (non-SMS) 2FA method of authentication: 4a) either a physical key (not much use, currently) 4b) or a digital 2FA (basically the phone is being used as a physical key, with constantly changing passwords that the user doesn't have to remember)
I have been recommending Telegram to people from the very beginning (2013) on the basis of functionality. But I can't force myself to promote Telegram on the basis of security; and the lack of digital 2FA is the only technical problem I am having.
What is implementing the digital 2FA is about at its core?: 1. Walking the talk. Adhere to the mission statement and marketing ("secure messenger"). 2. Increasing the security. 3. Decreasing the expenses. According to the latest financial news, Telegram wants to get more money invested in it, of which a whopping 25% will go to user verification fees (SMS, calls)! Decreasing this group of expenses even a little bit would mean a lot of money. 4. Making Telegram user-friendlier. Being secure and easy to use (easier than currently) is possible!
So what needs to be technically done? 0. No need to get rid of the SMS functionality. It might be ok for some non-technical people. 1. Implement the digital 2FA like Authy or Google Authenticator. 2. This is super-important! Make a setting where one could choose the allowed and forbidden types of authentication. So security-minded people could turn the SMS option off altogether and make it impossible for baddies to force the sending of the authentication code via insecure SMS and its capture. Without this setting, implementing digital 2FA would not solve the core problem.