Real Two-Factor Authenticator App vs OTP-Phishing Page
How to tell a genuine two-factor authentication prompt from a real-time phishing page designed to relay your one-time code to an attacker.
Last reviewed: 1 June 2026
Real-time OTP phishing attacks use a fake login page that, behind the scenes, simultaneously logs the attacker into your real account using whatever credentials you type. When the real site sends a two-factor code to your phone, the fake page asks you to enter it — relaying it to the attacker in seconds, long before it expires.
Side-by-side comparison
| Genuine two-factor authentication | OTP-phishing or real-time relay page | |
|---|---|---|
| How you arrived at the page | You typed the website URL directly into your browser or used a saved bookmark | You followed a link in an email, SMS, or social media message, or clicked a search advertisement |
| URL of the page requesting the code | URL in your browser address bar exactly matches the service's official domain with a valid certificate | URL is slightly different from the official domain — different TLD, added hyphen, or a subdomain that obscures the real domain |
| Timing of the code request | Code request appears after you have initiated a login on the real site; arrives because the real service is sending it to you | Code request appears in a browser window you arrived at via an unsolicited link; the page is receiving your credentials live |
| Code entry context | You entered your username and password on the official site before seeing a second-factor prompt — the flow is initiated by you | You are asked to enter a code that arrived unexpectedly on your phone; you did not initiate a login yourself on the real site |
| Urgency | Authenticator apps and SMS codes have a standard expiry (30–60 seconds for TOTP, a few minutes for SMS) with no additional pressure | Page displays a countdown timer or warning that your account will be locked if you do not enter the code immediately |
Common red flags
- You received a two-factor code on your phone without having initiated a login yourself
- The page requesting the code was reached via a link in an email or text rather than direct navigation
- URL in the browser address bar does not exactly match the official domain
- The page has an unusual urgency timer or threatens account lockout if you do not enter the code now
- The page asked for your password and is now asking for a 2FA code — but you did not choose to log in
Verification steps
- Always navigate to important sites by typing the URL or using a verified bookmark — never follow links in emails or texts
- Check the browser address bar URL carefully before entering any credentials or codes
- Use a hardware security key (FIDO2) where available — hardware keys verify the domain and will not work on phishing sites
What not to do
- Do not enter a two-factor code on a page you reached via an email or text link without verifying the URL
- Do not enter a code that arrived on your phone when you did not initiate a login
- Do not assume a site is genuine because it looks correct — pixel-perfect phishing clones are common
A safe response
If you have entered a 2FA code on a page you now believe was a phishing site, assume your account has been compromised. Change your password immediately from a trusted device, review active sessions in your account security settings and revoke all unknown sessions, and enable a hardware security key if available.
Frequently asked questions
Does using an authenticator app protect me from this type of attack?
Authenticator app TOTP codes are time-based and expire in 30 seconds. They are more secure than SMS codes but still vulnerable to real-time relay attacks if you enter them on a phishing page. Only a FIDO2 hardware key provides protection against phishing-site relay attacks, because the key checks the domain cryptographically.
I received a two-factor code I did not request — what should I do?
Do not enter the code anywhere. Someone has your password and is attempting to log in to your account. Change your password immediately, review recent login attempts in your account security settings, and consider whether any other accounts use the same password.