SMS is dead. Messengers are spying on us. TOTP is the bare minimum for 2025.

Over the past few years, “Two-step verification” has turned into a marketing label. Formally it exists; in practice it’s often useless.
If your account is still protected by SMS or messenger codes, assume you don’t really have a second factor at all.

Let’s break down why.

Why SMS is no longer considered protection

SMS is not a security mechanism. It’s a relic of the telecom era. It was never designed as a secure channel.

Key problems:

1. SIM swapping is not exotic
SIM re-issuance via social engineering is routine. A passport, an “operator mistake,” or a bit of insider help is often enough.
Result: the attacker gets your number — and your codes.

2. SS7 and telecom infrastructure
Signaling networks were designed decades ago. SMS interception is possible without physical access to your phone.

3. The operator is a single point of failure
Roaming issues, blocks, outages — and you simply can’t log into your accounts.

4. No encryption
SMS is stored and transmitted in plaintext. Where, how long, and by whom — you don’t control it.

Bottom line: SMS is a convenience factor, not a security factor.

Messengers instead of SMS — even worse

Trying to “upgrade” SMS by switching to messengers is a classic case of a fake improvement.

To receive six digits, you’re asked to:

• install a heavy app,
• link a phone number,
• hand over metadata,
• depend on internet connectivity,
• trust closed-source code.

This increases the attack surface, not reduces it.

From a security standpoint, it’s pointless.
From a privacy standpoint, it’s actively harmful.

What fundamentally changes with TOTP

TOTP is not a product or a brand. It’s an open standard (RFC 6238).

The core idea:
👉 the code is not delivered — it’s generated locally.

What this means in practice:

• No transmission channel → nothing to intercept
• Offline operation → no dependency on operators or services
• No phone number → less linkage to your identity
• Predictable threat model → cryptography, not “the cloud”

The server and your device simply perform the same computation, knowing:

• a shared secret;
• the current time.

They don’t communicate. That’s the strength.

Important things almost nobody talks about

1. It’s not the code that protects you, it’s the secret

Six digits are just a representation.
If the secret key leaks, TOTP effectively stops existing.

Which means:

• QR code = the key
• screenshot = potential compromise
• cloud storage = risk

If the secret leaks, reset 2FA immediately. No hesitation.

2. TOTP does not protect against proxy phishing

This is a fundamental limitation of the class.

If:

• you enter the code on a fake site,
• the attacker immediately reuses it on the real one,

TOTP can’t help you.

Therefore:

• log in only via bookmarks or a password manager;
• strictly verify the domain;
• no “urgent emails” are a reason to enter a code.

3. Backups are not optional — they’re mandatory

Lost your phone without backup codes → account lost.

The rule is simple:

• write down backup codes;
• store them offline or in a password manager;
• don’t rely on “I’ll do it later.”

What to use in 2025

Minimum sane choice

• Aegis (Android): open source, local encrypted backups
• Built-in TOTP in iOS / password managers — acceptable

Use with caution

• Google Authenticator with cloud sync
  (account compromise = loss of all factors)

Better than TOTP

• WebAuthn / Passkeys / FIDO2
  Phishing-resistant by design.
  TOTP is the baseline. Passkeys are the next step.

Summary

• SMS is dead as a security factor
• Messengers are marketing disguised as protection
• TOTP is the minimum acceptable level, not an “advanced option”
• The main risks are user discipline, not the algorithm
• The future belongs to phishing-resistant authentication

If a service in 2025 doesn’t offer TOTP or WebAuthn, that’s a red flag — not a “product choice.”

P.S.
If you’re explaining this to relatives or non-technical users, make them:

• write down the secret / backup codes,
• remove the phone as the single point of failure.

Otherwise it ends with support tickets, government offices, and lost access.