Anton Gorelkin, deputy head of the IT Committee in Russia’s State Duma, rejected plans to make Max the compulsory channel for confirming ”significant actions” on the internet. He described attempts to enforce Max as artificially creating negative sentiment around the service and emphasized that industry stakeholders do not support such a scheme. Gorelkin stressed that users should retain the freedom to choose their verification methods, and two-factor authentication (2FA) shouldn’t be tied exclusively to a single app.
Why Max is unlikely to become mandatory for 2FA in Russia
According to Gorelkin, the requirement to use Max for all 2FA instances is unlikely to materialize. He cited opinions from cybersecurity experts and industry insiders who agree that mandating Max as the universal platform for 2FA across Russian digital services is a bad idea. He also criticized the technical approach involved: static confirmation codes, like those Max reportedly uses, are far weaker than one-time TOTP codes generated by authenticator apps-which have long been the gold standard for protecting sensitive accounts.
Alternative two-factor authentication methods recommended by experts
As alternatives, Gorelkin recommended traditional 2FA methods such as SMS codes, push notifications, messenger apps, and dedicated password generator apps. These options align better with global 2FA practices on major platforms. Notably, Google, Microsoft, and Apple have been moving users away from SMS-based authentication due to its vulnerability to interception and SIM swapping, favoring authenticator apps and passkeys instead.
Context of Russia’s anti-fraud measures and Max’s role
The discussion was sparked by reports suggesting Russia’s Ministry of Digital Development (Ministry of Digital Transformation) might include Max or SMS-based confirmation in a third wave of anti-fraud measures. The ministry itself has denied plans to enforce such strict requirements. The debate is particularly sensitive because it concerns ”significant actions” online-not just account logins, but operations involving money transfers, account data changes, or legally binding confirmations.
Rising digital fraud in Russia and ongoing regulatory responses
The backdrop is a surge in digital fraud in Russia. Data from the Bank of Russia shows that in 2025, unauthorized transactions without client consent amounted to tens of billions of rubles. Both the regulator and the Ministry of Digital Development have been steadily rolling out new measures to combat social engineering and account takeovers. Whether Max will become a mandated option for these protections or remain a recommended channel remains unclear and should become clearer when the next set of anti-fraud amendments is published.

