Telegram has added support for passkeys, a secure and convenient sign-in method, replacing SMS verification codes.
What doe is this mean exactly for people who are changing phones or want to use a Telegram on a second phone?
If they are logged in on one phone, will they still require SMS verification to log in on the second?
I have raised this issue before.
It doesn’t make sense that you still need SMS verification to log in your Telegram account on a second phone, when that account is protected by password and an email address to verify your account.
I personally have never used a passkey. My computer is not compatible. I recently got a new phone which is compatible with passkeys, but admittedly, I am not comfortable having a single verification device. If I lose my phone, I’m screwed. 
You can always use software passkeys with your password manager. It’s not OS dependent.
Are you 100% sure it is not OS/device dependent?
I’ve always known that password managers support passkeys, including mine (1Password), but my understanding was that it only works if your device is compatible. Meaning that I can’t use passkeys with 1Password on my desktop to unlock my Google account, if my desktop doesn’t support passkeys.
Was I completely wrong about that?
It’s all very confusing, but I’m fairly sure that as long as your browser supports it, then an extension like 1Password should be able to store passkeys regardless of whether your OS supports them. That said, I STRONGLY discourage the use of software passkeys as they undermine some of the fundamental design goals of the FIDO2 standard by being exportable.
So you can install a password manager that supports passkeys on any device, and I believe browsers on every OS support passkeys so you can use them to log in to all your online accounts. But if you want to log in to a program that’s not in your browser via passkeys there needs to be OS support and I think currently Linux is behind there, although there is work being done on that front.
Can you explain what you mean here?
Depending on how you sign in, it is OS independent. Of course, exception is that it only works via browsers. If you want to log in to an app via a passkey, then it may not work as passkey will be stored in your password manager and your OS may not be able to make that work.
I personally also set up TOTP as a back up 2FA and never have passkey as my only log in method.
Thanks. With that being said, the following is still unclear:
@fria Do you know the answer to this?
I’m afraid I don’t use Telegram and am unfamiliar with it. While I understand some people may not be able to let it go for their own reasons, I always implore people to never stop finding ways to. It is truly a terrible app for your privacy and security. But I’m guessing you know that already.
According to the blog post, you don’t need SMS verification if you use passkeys:
Passkeys, Gift Purchase Offers and More .
But you still need a phone number.
I see. I look forward to testing this. If am able to log in on a 2nd phone without SMS verification, then this is great news. But if I still require it, I’ll be disappointed.
1000% agree.
I mainly use Telegram to keep up with certain news outlets and the development of certain apps who have a presence there.
I also have a few family members who are still on it, and it would be hard to convert them to Signal, which is my default messaging app.
If you only talk to certain people on Telegram and WhatsApp just a couple of times a year, they are highly unlikely to feel compelled to move to a new app for you. Especially if they know that you are still present on Telegram and WhatsApp.
Even if you follow Michael Bazzell’s advice to deliberately respond slowly on Telegram/WhatsApp and faster on Signal, to people you only talk to a couple of times a year, it is not going to matter. It will only matter if they have an emergency and need you, which is, again, unlikely. The family members I have on Telegram and WhatsApp don’t live in the same country as me, and I haven’t seen them in years.
Late to the party but passkeys have a great support:
I guess that a hardware one is even better because it pretty needs a basic USB support.
And from my experience, iOS + Android (even on GOS) + Linux + MacOS work flawlessly with them[1].
What an evil 
fancy 
practice.
PS: I just realized I faced the same treatment with a non-Signal user that replies super slowly on Signal but not on the other one, uh oh. 
I don’t know about Windows, haven’t spined such bad boi in a long time but probably works there too! ↩︎
I’m sorry. Yeah, that happens. IMO, the most significant factor in converting someone to Signal is your social capital. If you don’t care about privacy but the person who could get you your dream job is on it, you will join Signal. Same if people find your cool and interesting for whatever reason. It’s almost as if people have to be drawn to you for reasons that have nothing to do with privacy. If they don’t need you, if they don’t have strong positive feeling about you, IMO, your chances are very low.
It sucks, but to me that’s the reality. I feel like I have to increase my social capital in order for people to be receptive to my privacy messaging.
Time to open a OnlyPrivacy.com account 
or start streaming then. 
Money is meanwhile an easy one yes, but I think it’s hard to have a job person requiring you to join them on Signal, it’s usually the opposite: WhatsApp or alike. 
Not really sure we should call anything about telegram privacy news…
A lot of people use it, and they do offer optional E2EE chats. Plus it’s good to show off when they do something good so other messengers can follow I think.
Just to strawman telegram.
The only other alternative to tg/discord can be something nostr based, I wrote up a Readme here:
On matrix / element, you are trusting the server admin
https://infosec-handbook.eu/articles/xmpp-aitm/
And matrix has questionably security practices
Simplex is another option but I don’t see any business model that can work there, also its clogs client memory - and NO messenger app has feature parity with telegram.
Phone number is mostly a spam fighting trick, moderation is also a problem on simplex - also no discoverability.