One of the key features of something like Signal is not just security, but authentication: if I'm talking to my girlfriend over Signal and it tells me that her key suddenly changed, I stop talking to her, call her, and ask her what's up (and, to be fair, it's happened twice so far due to changing phones). It's supposed to stop a MITM attack, so that someone cannot pretend to be her and continue the conversation.
What will your authian bot do, however, if the key changes? Will it happily continue communicating with the new, possibly malevolent recipient?
What vesak has said is partly correct. We are integrating IMs that have the most reach firstly.
We also investigated IMs where users are not registered to a particular number and we deduced that most companies would not want clients to authenticate themselves with accounts that are not attached to a number (when they already have such numbers available).
We stand to be corrected and would gladly integrate with other IMs where demand/interest exists.
I'm not sure about their reasons, but I would guess it's because the three messenger they support (Telegram, WhatsApp, WeChat) are significantly easier to integrate with, and have nearly a billion active users combined.
1) We plan on integrating TOTP into the Authian server so that TOTP can be used as an alternate option where no other IMs are supported by the end-user
2) Using OTP over encrypted IM has less friction. Many other options require people to install "yet another app". TOTP is also not that well understood by the average person, whereas most people are already familiar with SMS-based authentication (which also has low friction, but is comparatively expensive)
3) TOTP can't do notifications of successful login attempts to the TOTP app. Whereas OTP over IM offers this, as well as baking in other security enhancements as required by vendors (eg. account recovery options)
With that said though, I would consider TOTP and OTP over IM to be complementary products.
Not sure if this is relevant, but TOTP via phone app doesn't work when a phone is experiencing NTP sync issues. At least, this is a problem which I experienced.
Part of our assurance that the product is good/reliable/secure is releasing the source code for people to determine that themselves.
We have no plans to rescind on this, although we would like people to join our newsletter so that we can reach them. By having a point of contact, we hope to build a product and form a community based on the needs of end-users (eg. how the product is being used and how we can improve upon it)
If you joined the newsletter, we will be reaching you shortly.
What will your authian bot do, however, if the key changes? Will it happily continue communicating with the new, possibly malevolent recipient?