[danogentili]

This is also supported by Telegram, as well as sending codes via email (in select countries), see https://core.telegram.org/api/auth#code-types for the full list of authentication methods (which are chosen by the server, depending on the country of the user and some other heuristics).

[lxgr]

Very interesting, thank you!

"Future auth token" sounds scary: So clients just allow users to log back into the app without any authentication on devices they've used previously!?

[danogentili]

If a 2FA password is configured, it is still required in order to login with a future auth token; however, even if it isn't set up, the fact that you have a future auth token means you have already logged in and then logged out on this specific device, so it's not a real issue (i.e. it's as if when logging out, you didn't actually log out but rather just hid the account in the UI, the future auth token is stored safely, in the same place as normal auth keys are + re-entering the 2FA password is still required).

[lxgr]

But if no 2FA password is configured, does this mean that there is no way to truly log out of a given client?