Real Two-Factor Authenticator App vs OTP-Phishing Page
How to tell a genuine two-factor authentication prompt from a real-time phishing page designed to relay your one-time code to an attacker.
Last reviewed: 1 June 2026
A genuine two-factor prompt is something you caused. You typed the site's address or opened a bookmark, entered your password, and only then were asked for a code, which arrives because the real service is responding to the login you just started. Real-time OTP phishing works because it reproduces that sequence exactly. The fake page passes your password to the real site as you type, the real site sends you a genuine code, and the page then asks for it, so the message on your phone is authentic even though the page requesting it is not. Nothing about the code itself will look wrong. The distinction that matters most is how you arrived. If you reached the login page by following a link in an email, a text or an advert, the code you enter can be relayed within seconds.
Side-by-side comparison
| Genuine two-factor authentication | OTP-phishing or real-time relay page | |
|---|---|---|
| How you arrived at the page | You typed the website URL directly into your browser or used a saved bookmark | You followed a link in an email, SMS, or social media message, or clicked a search advertisement |
| URL of the page requesting the code | URL in your browser address bar exactly matches the service's official domain with a valid certificate | URL is slightly different from the official domain — different TLD, added hyphen, or a subdomain that obscures the real domain |
| Timing of the code request | Code request appears after you have initiated a login on the real site; arrives because the real service is sending it to you | Code request appears in a browser window you arrived at via an unsolicited link; the page is receiving your credentials live |
| Code entry context | You entered your username and password on the official site before seeing a second-factor prompt — the flow is initiated by you | You are asked to enter a code that arrived unexpectedly on your phone; you did not initiate a login yourself on the real site |
| Urgency | Authenticator apps and SMS codes have a standard expiry (30–60 seconds for TOTP, a few minutes for SMS) with no additional pressure | Page displays a countdown timer or warning that your account will be locked if you do not enter the code immediately |
Common red flags
- You received a two-factor code on your phone without having initiated a login yourself
- The page requesting the code was reached via a link in an email or text rather than direct navigation
- URL in the browser address bar does not exactly match the official domain
- The page has an unusual urgency timer or threatens account lockout if you do not enter the code now
- The page asked for your password and is now asking for a 2FA code — but you did not choose to log in
Verification steps
- Always navigate to important sites by typing the URL or using a verified bookmark — never follow links in emails or texts
- Check the browser address bar URL carefully before entering any credentials or codes
- Use a hardware security key (FIDO2) where available — hardware keys verify the domain and will not work on phishing sites
What not to do
- Do not enter a two-factor code on a page you reached via an email or text link without verifying the URL
- Do not enter a code that arrived on your phone when you did not initiate a login
- Do not assume a site is genuine because it looks correct — pixel-perfect phishing clones are common
A safe response
Do not type a code into a page you reached by clicking a link, and never type one you did not ask for. If in doubt, close the tab, open the site by typing its address or using your own bookmark, and log in from there; if the real account shows no problem, there was no problem. A code arriving unprompted means someone already has your password, so change it now from a device you trust, and change it anywhere else you reused it. If you think you entered a code on a fake page, assume the account was accessed: reset the password, open the security settings and sign out every active session, check for added recovery emails or forwarding rules, and register a hardware security key if the service supports one.
Frequently asked questions
My phone keeps buzzing with login approval prompts, should I just approve one to stop it?
No. Repeated prompts mean someone with your password is trying to log in and hoping you will tap approve out of tiredness or to stop the noise. Deny them, then change your password immediately from a device you trust, and change it on any other account using the same one. Afterwards, review active sessions in your security settings and sign out anything you do not recognise. Switching from push approvals to a hardware key or app codes reduces the pressure.
Does using an authenticator app protect me from this type of attack?
Authenticator app TOTP codes are time-based and expire in 30 seconds. They are more secure than SMS codes but still vulnerable to real-time relay attacks if you enter them on a phishing page. Only a FIDO2 hardware key provides protection against phishing-site relay attacks, because the key checks the domain cryptographically.
I received a two-factor code I did not request — what should I do?
Do not enter the code anywhere. Someone has your password and is attempting to log in to your account. Change your password immediately, review recent login attempts in your account security settings, and consider whether any other accounts use the same password.