Strengthening Protection: MAX Messenger Rolls Out Two-Factor Authentication

Growing Trust in the Messenger

MAX is available in the App Store, RuStore, and Google Play. As of September 17, more than 35 million people had registered with the national messenger. New users—or those signing in from unfamiliar devices—will automatically be prompted to enable 2FA. The feature can later be disabled in privacy settings.

For Russian citizens, 2FA provides stronger safeguards against account takeovers and fraud, ensuring the security of messages, calls, and file transfers of up to 4 GB. For government and corporate users, it creates confidence in deploying official scenarios inside MAX. Current government integrations include document signing via the GosKey service, scheduled for rollout on September 26, and access to the Gosuslugi state services portal, now in beta testing.

Secure Data Storage

Export prospects remain limited, since the app is tied to Russian and Belarusian phone numbers and deeply integrated with domestic government services. However, the addition of 2FA and quick login features strengthens competitiveness in the CIS and Eurasian Economic Union markets.

The built-in security systems of the national messenger have already blocked more than 70,000 SIM cards used by criminals to call our citizens. MAX is evolving rapidly, offering users ever more convenient services. Its development has always prioritized user comfort and security. What sets MAX apart is its deliberate and effective fight against fraudsters

Andrey Lipov

Head of Roskomnadzor (Russia’s federal communications regulator)

MAX is managed by VK’s subsidiary “Communication Platform,” with all infrastructure hosted in Russia—an assurance of reliable data storage and user protection. Next steps include expanding authentication options to biometrics and hardware keys, introducing unified SSO across VK and government platforms, and mandating 2FA for channel admins and organizational accounts.

Steady Modernization of MAX

Since August 2025, Russia’s Ministry of Digital Development has been testing one-time codes delivered via MAX for logging into Gosuslugi. These codes serve only as a second factor, with SMS still required for account recovery. When entering Gosuslugi, users receive the code from a bot called “Confirmation Codes.” The bot asks verification questions to ensure the login is not fraudulent. Suspicious responses trigger alerts instead of codes.

On September 10, 2025, VK announced that users of the VKontakte and VK Video apps could use MAX for fast logins instead of SMS. As of mid-September, nearly one million Russians had connected MAX as their second authentication factor for Gosuslugi logins, with each user already employing the feature multiple times.

Global Context

The push to improve messenger security is global. In 2023, WhatsApp strengthened account protection with Device Verification, Account Protect, automatic code checks, and “Device Confirmation” to prevent unauthorized use. In 2025, Telegram introduced third-party verification to counter scams, allowing external services to issue authenticity badges to accounts and chats.

Toward Better Cyber Hygiene

The launch of 2FA in MAX marks an important step toward improving user trust and overall cyber hygiene. It will deepen integrations with government services and corporate systems. In the next three to six months, growth in 2FA adoption is expected, along with stronger SSO integration and legally significant functions such as digital ID and contract signing via GosKey.

Risks remain, including criticism over mandatory linkage with government infrastructure and the requirement for local phone numbers. To address these concerns, transparent security reports and independent audits will be essential.