Stop asking for mobile 2fa to register applications.
Stop asking for my mobile number to register applications or for any reason at all.
You already get 2fa by sending the verification code through email. Sending it through mobile is an added security risk. It only makes it easier to compromise the account when hackers can just contact the mobile operator to be able to clone our mobile number.
The verification code through email is plenty. I have secure passwords on both email and twitch accounts, I can make sure they are safe, I can control that. I can't control what my mobile operator does with my SIM ID. Mobile services support line operators are a joke, and give those out like candy, and then accounts get compromised.
You want to cover your butts against any liability just suggest mobile 2fa, bad suggestion whatever, but don't force it. Use properly email 2fa is better, just because some users create email accounts with stupid easy passwords that doesn't mean you should force everyone to use a less secure 2fa method.
Please make it optional.
-
Amphitryon commented
The application I want to register does not require any authentication flows other than the OAuth Client Credentials Grant Flow, i.e., there are no users whose information could be put at risk if my app (or Twitch account) is compromised. I cannot even enable SMS- or TOTP-based 2FA, as TOTP isn't an option unless SMS is already enabled (and remains that way), and SMS (despite implications to the contrary https://help.twitch.tv/s/article/two-factor-authentication) is not allowed for VoIP numbers such as Google Voice.
Add in the fact that SMS-based 2FA and especially SMS-based password reset will greatly reduce security for security-conscious individuals (i.e., most developers), and it becomes clear that the mobile 2FA requirement should be re-evaluated and either removed or replaced with something more secure, such as pure TOTP without SMS.