Until recently, nowhere, except when logging into an account, a password was not requested. Things changed when we added the ability to transfer a channel to another account, and today, transfer bots. Not only is it necessary to meet the criteria for the transfer, for example, to have 2FA enabled and sit with it for 7 days, not to change the password, etc., but also to re-enter the password when transferring the status of the channel owner. And that's great!
Imagine my surprise when I decided to change the mobile number on my main account. Follow the actions: went into the settings, clicked on edit, tapped the number, confirmed the intention, entered a new number, entered the code that came by SMS to the new number , that's it ...
Something is missing ... It's kind of too simple ... Oh, yes, but where is 2FA as in channel transmission? I have it turned on! Okay, if I didn't use it!
And what it turns out. The person who gained access to our device by forcibly putting your finger on / using your face was able to completely take your account away from you , without the need to know the password and access your old number.
Now no one can log into the account.After changing the number, the person closed all sessions on your other devices, leaving only the one that he took away. You are unable to log into your account, as you need a code from an SMS to a number that you do not know. The attacker is unable to log in from another device, since he needs a password from 2FA, but he has access to your account! He doesn't need any more!
Obviously, it would be just great to add password confirmation when changing the number . The case not only with the forced selection of the phone, but also the scenario "gave a post to a person to read" will also deprive everyone of the account. Will change the number and close all sessions, including the active one.
Telegram has mechanisms for deleting accounts when the mobile operator transferred the number to another owner, and the number turned out to be registered with 2FA. Faced this personally. I had 7 days to cancel the entire procedure. To cancel it, you need to enter the code from the SMS from a number that I no longer had access to. Another option was to change the phone number to another. I just transferred everything from that account to other ai ... it was deleted.
It is clear that asking for confirmation of an old number to change to a new one is a bad idea. It kills solutions to different problem cases. Active sessions and 2FA should be a guarantor, and you generally need to get away from binding phones, but so far there is nowhere ... Bot API 5.0 has
just been updated! Very juicy, special thanks for this, but in addition to this, the possibility of transferring rights to bots between accounts was brought to the sale. And even despite the fact that all control is through BotFather'a (official bot), it manages to request 2FA ! This type of inline button is not documented . When pressed, a window pops up with a password.
Screenshot of a pop-up window in the process of transferring rights
After looking at all sorts of cases, seeing different approaches in Telegram, you can ask Pavel ( @durov ) about only one thing ... Let's use 2FA confirmation not only when entering and changing the owner of a bot / channel, but also when changing a phone number and deleting an account .
Of course, what can we say about the possibility of deleting an account without 2FA, when it can still be deleted by renaming the account to "Saved Messages".
Video with deleting account when renaming
My smallest article, so without the usual "thank you for reading right up to here."
PS We do not use Face ID, fingerprint scanners. We do not store passwords in our heads. Generate random ones, store in password managers. At least something, at least somehow. It will never be ideal.
PSS Thanks to Oleg for deleting two accounts for the video material of this article.