Telegram authenticates using your phone number and an SMS code, making accounts vulnerable to SIM swapping. Two-step verification adds a full password as a second layer โ protecting you even if someone intercepts your SMS code.
In This Guide
Enabling Two-Step Verification
- Open Telegram and go to Settings โ Privacy and Security
- Tap Two-Step Verification
- Set a strong password (this is different from your phone PIN)
- Add a recovery email address
- Confirm your email via the link Telegram sends
Choosing a Strong Password
Unlike Instagram or Discord which use codes, Telegram's two-step verification uses a full text password. Make it at least 12 characters. Store it in a password manager โ losing it locks you out for 7 days.
What It Protects Against
Without two-step verification, anyone who can receive an SMS to your number can log into Telegram. With it enabled, they'd also need your verification password โ a much harder barrier to overcome.
How Telegram's Two-Step Verification Differs from Standard 2FA
Standard TOTP-based 2FA uses a time-based code from an authenticator app. Telegram's two-step verification is different: it is a password you create that must be entered in addition to the SMS verification code Telegram sends when you log in on a new device. The SMS code confirms you control the phone number; the two-step password confirms you know the additional secret. Together, they prevent SIM-swap attacks from being sufficient to take over your account.
Choosing a Strong Telegram Two-Step Password
Your Telegram two-step verification password should be different from your phone unlock code and from any other password you use. Since you only enter it when setting up on a new device (not during normal use), you can make it quite long and complex. A passphrase of four or more random words is ideal โ memorable enough to recall if needed but long enough to resist brute force. Consider storing it in a password manager as a backup.
What the Two-Step Verification Protects
Telegram's primary login mechanism is your phone number โ you receive an SMS code to verify it. Without two-step verification, anyone who can receive SMS messages to your number (including someone who has SIM-swapped it) can log in to your Telegram account and read all your non-secret chats. Adding a two-step password means an attacker also needs to know that password, which they cannot obtain just from controlling your phone number.
Telegram Secret Chats vs Regular Chats and 2FA
Regular Telegram chats are stored on Telegram's servers and accessible from any device. Secret chats are end-to-end encrypted and device-specific โ they do not sync across devices. Two-step verification protects access to your account and therefore your regular chat history. Secret chats cannot be read even by someone with full account access on a different device.
Forgetting Your Telegram Two-Step Password
If you forget your password and have a recovery email set up, tap "Forgot password?" and Telegram sends a reset link to that email. Without a recovery email, you have two options: wait 7 days (after which Telegram will allow you to log in without the password, but your cloud-stored chat history will be deleted for security), or endure the wait. This is why adding a recovery email during setup is strongly recommended.