Over the past few years, “Two-step verification” has turned into a marketing label. Formally it exists; in practice it’s often useless.
If your account is still protected by SMS or messenger codes, assume you don’t really have a second factor at all.
Let’s break down why.
Why SMS is no longer considered protection
SMS is not a security mechanism. It’s a relic of the telecom era. It was never designed as a secure channel.
Key problems:
1. SIM swapping is not exotic
SIM re-issuance via social engineering is routine. A passport, an “operator mistake,” or a bit of insider help is often enough.
Result: the attacker gets your number — and your codes.
2. SS7 and telecom infrastructure
Signaling networks were designed decades ago. SMS interception is possible without physical access to your phone.
3. The operator is a single point of failure
Roaming issues, blocks, outages — and you simply can’t log into your accounts.
4. No encryption
SMS is stored and transmitted in plaintext. Where, how long, and by whom — you don’t control it.
Bottom line: SMS is a convenience factor, not a security factor.
Messengers instead of SMS — even worse
Trying to “upgrade” SMS by switching to messengers is a classic case of a fake improvement.
To receive six digits, you’re asked to:
- install a heavy app,
- link a phone number,
- hand over metadata,
- depend on internet connectivity,
- trust closed-source code.
This increases the attack surface, not reduces it.
From a security standpoint, it’s pointless.
From a privacy standpoint, it’s actively harmful.
What fundamentally changes with TOTP
TOTP is not a product or a brand. It’s an open standard (RFC 6238).
The core idea:
👉 the code is not delivered — it’s generated locally.
What this means in practice:
- No transmission channel → nothing to intercept
- Offline operation → no dependency on operators or services
- No phone number → less linkage to your identity
- Predictable threat model → cryptography, not “the cloud”
The server and your device simply perform the same computation, knowing:
- a shared secret;
- the current time.
They don’t communicate. That’s the strength.
Important things almost nobody talks about
1. It’s not the code that protects you, it’s the secret
Six digits are just a representation.
If the secret key leaks, TOTP effectively stops existing.
Which means:
- QR code = the key
- screenshot = potential compromise
- cloud storage = risk
If the secret leaks, reset 2FA immediately. No hesitation.
2. TOTP does not protect against proxy phishing
This is a fundamental limitation of the class.
If:
- you enter the code on a fake site,
- the attacker immediately reuses it on the real one,
TOTP can’t help you.
Therefore:
- log in only via bookmarks or a password manager;
- strictly verify the domain;
- no “urgent emails” are a reason to enter a code.
3. Backups are not optional — they’re mandatory
Lost your phone without backup codes → account lost.
The rule is simple:
- write down backup codes;
- store them offline or in a password manager;
- don’t rely on “I’ll do it later.”
What to use in 2025
Minimum sane choice
- Aegis (Android): open source, local encrypted backups
- Built-in TOTP in iOS / password managers — acceptable
Use with caution
- Google Authenticator with cloud sync
(account compromise = loss of all factors)
Better than TOTP
- WebAuthn / Passkeys / FIDO2
Phishing-resistant by design.
TOTP is the baseline. Passkeys are the next step.
Summary
- SMS is dead as a security factor
- Messengers are marketing disguised as protection
- TOTP is the minimum acceptable level, not an “advanced option”
- The main risks are user discipline, not the algorithm
- The future belongs to phishing-resistant authentication
If a service in 2025 doesn’t offer TOTP or WebAuthn, that’s a red flag — not a “product choice.”
P.S.
If you’re explaining this to relatives or non-technical users, make them:
- write down the secret / backup codes,
- remove the phone as the single point of failure.
Otherwise it ends with support tickets, government offices, and lost access.
