Telegram Adds Passkey Support, Still Requires Phone Number

Telegram has added support for passkeys, a secure and convenient sign-in method, replacing SMS verification codes.

Passkeys are secure keys that are stored on your device and can sync with your password manager using end-to-end encryption (E2EE), allowing for secure logins across devices without having to rely on SMS codes that can be intercepted or phished, or blocked due to an interruption in cellular service.

They’re also just much more convenient than passwords. According to Microsoft, sign in success rates jumped to 95% with passkeys from only 30% with passwords. I think most of us can relate to how annoying trying to hold the SMS notification while typing the code in can be, or switching back and forth between apps to put the code in.

Unfortunately, Telegram still requires a phone number to sign up. But it’s great to see wider adoption of passkeys.

This brings Telegram in line with WhatsApp‘s passkey support. It might be good to see Signal incorporate passkeys, as their current account system uses a PIN for account recovery. I think passkeys would be much more convenient and secure.

The SMS verification codes are easily phished, which has led to many people having their WhatsApp accounts taken over (this was before the introduction of passkeys although passkeys are still optional).

On top of the security issues, the SMS verification costs Signal about $6 million per year. For a nonprofit, that’s a big chunk of change being wasted on sending insecure SMS verification codes. That’s almost half of their $14 million infrastructure costs as of the 2023 blog post.

On top of this, many countries have Know Your Customer laws for obtaining a phone number. This makes the prospect of obtaining a phone number and associating it with a messenger a potential privacy risk, even if the messages themselves are E2EE.

It’s a bit bizarre why so many messengers still insist on requiring a phone number. According to Signal:

Requiring phone numbers in Signal lets people see which of their friends they can easily talk to on Signal while limiting the potential for spam within the app.

The first reason should be optional. Users of a privacy-focused app such as Signal should have the option to choose whether they want to add a phone number and see which friends are on the app.

As for the second point, that’s a bit of a tougher problem to solve. iOS and Android both already have APIs to deal with device integrity. Apps like SimpleX Chat prevent this problem by making it so that you can’t just contact anyone whenever you want, you have to scan a QR code or accept an invite link first.

Several other messengers such as Session, Threema, and Briar are able to operate just fine without asking for a phone number. Something tells me Signal, WhatsApp and Telegram could as well if they wanted to.

Whatever the answer is, I think the smart people working at Signal and WhatsApp can come up with a better solution than using phone numbers for anti-spam.

Phone numbers requirements are similar to email requirements in that they provide very little security and they allow multiple accounts to be tied together. In the case that they’re the only credential used to log in or they are used as a recovery method, they actively harm the security of your account.

It’s time we stopped using phone numbers for something they were never meant to be used for and adopted new approaches to account security, such as passkeys.