Logging into the State Services portal with a confirmation sent via SMS is the most convenient option, yet it is also the least secure method of authentication. This view was expressed by Viktor Chashchin, the business manager at Multifactor, in an interview covered by RIA News.
Starting October 1, the Gosuslugi portal implemented mandatory two-factor authentication for all users. This shift reflects a nationwide move toward stronger digital identity protections and aims to reduce unauthorized access caused by weaker login methods.
Chashchin notes that attackers can potentially intercept SMS messages. If a SIM card is lost or stolen, the attacker may gain access to the number that receives the verification codes, compromising security. This risk underscores the vulnerability of SMS-based verification in real-world scenarios.
As an alternative, the expert advocates using a one-time code generated by a dedicated TOTP (Time-Based One-Time Password) application. Codes produced in such apps are tied to a user’s device and cannot be intercepted remotely by fraudsters. Access is only possible if the attacker also has possession of the user’s phone with the app installed, making this method notably safer than SMS for many users.
Artem Geller, managing partner at Smena (AIC Group), counters that two-factor authentication offers a higher level of security compared with traditional single-step login processes. His assessment aligns with broader security best practices, which emphasize something the user knows, something the user has, and sometimes something the user is, to bolster protection against credential theft.
Meanwhile, a recent pilot in Moscow explored biometric payments for travel using local Muscovite cards. The trial highlights ongoing efforts to diversify verification methods beyond passwords and codes, signaling a broader trend toward biometric and device-based authentication in public services.
Experts agree that the evolution of online authentication on government portals is driven by the need to balance user convenience with robust security. SMS-based verification, while easy, remains vulnerable to interception and SIM swaps, creating a nontrivial risk for sensitive transactions. In contrast, TOTP-based methods and biometric options, when implemented properly, can significantly mitigate these risks. The ultimate goal is a seamless user experience that does not compromise identity integrity or data protection. (cite: Gosuslugi security advisory)