Privacy Tradeoffs
Forwarding OTPs And Verification Codes: Privacy Tradeoffs To Weigh
Before you forward OTP codes to email or verification codes to Telegram, understand how it changes your authentication surface, grounded in WizeSMS evidence.
Written by the Fulldive product engineering team, based on direct inspection of the repositories listed below.
Before you forward OTP codes to email or Telegram, read this
If you’re researching how to forward OTP codes to email or forward verification codes to Telegram on Android, the most important part of the answer is not the setup guide. It is the tradeoff. Forwarding SMS-delivered OTPs to any destination — Gmail, a Telegram bot, or an internal relay — changes your authentication surface. That is the whole point of this post.
WizeSMS (package com.fulldive.extension.divesms, previously Dive SMS) supports both destinations, and the app intentionally shows a privacy note (42f44224) at the point of opt-in. We want to say the same thing here in full sentences.
What an SMS OTP is actually doing
Most “something you have” factors that arrive over SMS are betting on one thing: that the second-factor message reaches only a device you physically control. That is a weaker assumption than a hardware security key or a TOTP app, but it is still a real second factor. NIST and others have documented the tradeoffs of SMS as an authenticator; the relevant takeaway is that the whole model depends on who receives the text.
When you turn on SMS forwarding to email or Telegram, you deliberately widen that circle.
How WizeSMS forwards, precisely
To be concrete about what a forwarder actually does:
- Email destination. Commit
dd629f2fadded SMS-to-email forwarding via Gmail OAuth. The app gets permission to send mail on your behalf through Google’s consent flow; it does not hold your email password. See the Gmail OAuth scopes reference for what a send scope grants. - Telegram destination. Commit
fa8b722badded SMS-to-Telegram forwarding via a Fulldive-hosted Cloud Function, which in turn calls the Telegram Bot API. The relay handles the payload; bot messages are not end-to-end encrypted. - Configuration lives in one screen (
4c1ec87b), with status and failure notifications visible on the device (a53b2673). - Forwarding is off by default. Nothing in the repository suggests otherwise, and the app surfaces a default-SMS warning (
3838a63b) when it isn’t even the active SMS handler.
Forwarding is a deliberate opt-in. That matters for the argument that follows.
The core privacy tradeoff
When an OTP arrives by SMS on your phone, the attack surface is roughly “physical access to the device or the SIM.” When you forward that OTP to email, the attack surface becomes “the device, the SIM, plus the email account, plus any credential or token that can read that email account.” Telegram expands the surface in a different direction: “the device, the SIM, plus the Telegram account, plus the relay.”
None of those are necessarily bad destinations. They are just bigger.
Practical implications:
- If your email account has weak 2FA, forwarding OTPs to it is a real downgrade. An attacker who takes over your email now has your one-time codes waiting for them. If you’re going to forward, lock the receiving account down with a hardware key or a TOTP app first.
- A Telegram bot inbox is usually synced across all of your Telegram sessions. Every active Telegram login is now a potential OTP reader. Review active sessions regularly.
- Forwarding logs are a target. The server-side relay for the Telegram destination has to process messages to deliver them. Even with short retention and reasonable operational controls, the existence of a logging window is part of the tradeoff.
- “Something you have” is blurry now. The classic argument for SMS as a second factor is that only your phone sees the code. A forwarder intentionally breaks that.
This is not an argument against forwarding. It is an argument for doing it with your eyes open. That is exactly why WizeSMS ships a privacy note (42f44224) in the forwarding UI.
When forwarding OTPs is still reasonable
Good reasons to forward authentication codes include:
- A shared team inbox for operational alerts where multiple people must act on a code, and the service in question doesn’t offer a better mechanism. In this case the shared inbox should be treated as credentials: hardware 2FA, restricted membership, and rotation when someone leaves.
- Travel with an inactive SIM. If your primary number is unreachable because you swapped SIMs, forwarding codes to an email address you can read anywhere may be safer than missing a real alert. Reverse the forward when you’re home.
- Accessibility needs that make reading SMS on the phone harder than reading email on a larger screen.
Good reasons not to forward include:
- Convenience alone. If all you’re doing is avoiding picking up your phone, a TOTP app or a password manager with autofill is almost always a safer choice.
- Banking and high-value account codes that the issuing bank explicitly says must stay on the original device.
- Any service whose terms prohibit sharing or re-transmitting auth codes, which many do.
Keywords we deliberately avoid
WizeSMS is not a “spy SMS app.” It is not a “hack SMS forwarding” tool. It is not designed to forward someone else’s texts without their knowledge. Fulldive’s own SEO planning explicitly lists those phrasings as keywords to avoid because they invite misuse and legal risk. A forwarder is a productivity and accessibility tool for your own messages.
How to forward safely if you decide to
If you have weighed the tradeoff and want to proceed, these are the minimum safeguards:
- Harden the destination first. Email: hardware key 2FA or an authenticator app. Telegram: strong cloud password, session review, and logout of unused sessions.
- Forward narrowly. Don’t forward every inbound SMS. Use rules to forward only specific senders, and never forward everything indiscriminately. The forwarding settings screen (
4c1ec87b) is where you make that choice. - Test with the built-in buttons. The test-message button (
150204e5) and forwarding status notifications (a53b2673) exist so that you know the forward works before you rely on it. - Revisit the decision. Revoke Gmail OAuth access in your Google account if you stop using email forwarding. Disable Telegram destination if you no longer need it. Uninstall or unset WizeSMS as default if you’re done with SMS forwarding altogether.
Related reading
- How to forward SMS to email on Android — the email setup flow in detail.
- How to forward SMS to Telegram on Android — the Telegram setup flow and the Cloud Function relay.
- Default SMS app on Android, explained — why WizeSMS asks to be default.
- SMS and MMS reliability on Android — why an SMS app has to get the basics right first.
- How WizeSMS evolved from messenger to forwarding utility — the product arc behind these decisions.
The Fulldive About page and the FAQ cover ecosystem-wide questions. The WizeSMS app listing is linked from the Fulldive apps page. For anything else, support@fulldive.com or the Discord community link inside the app (dfc606b3).
Sources
- Gmail API OAuth scopes.
- Telegram Bot API.
- Internal repository brief:
website/docs/app-evolution/wizesms-divesms.md.
Last updated: 2026-04-16. Commit hashes and version numbers are drawn from Fulldive repositories inspected on 2026-04-13.