Google Authentication for 2 Factor Authentication
I would love to be able to have the option for Google Authentication to be integrated into your current 2-Factor Authentication system. Hypothetically, if I were to misplace or brake my phone, it would take some time for me to be able get a new device in which time I would not be able to reenter my Twitch account. I mod for channels, work with creators and would feel awful if I was not able to continue supporting and working for them as I do.
It was also just be an ease of access thing, where I have all of my current 2F Authentication already with Google Authentication, so as this isn't necessarily an essential facet to this system, it would be a nice addition to this system.
Exciting news friends!
This is live! We are excited to announce that you can now use whatever 2fa authenticator you would like!
Twitter announcement: https://twitter.com/TwitchSupport/status/1330979700680904704
and if you have questions please read through our new help article here: https://help.twitch.tv/s/article/two-factor-authentication?language=en_US
86 commentsComments are closed
Plus, some users (like me) have issues receiving SMS for backup codes (SMS never arrives for most services, so I can't have my phone number as a backup in most services (and yes, tried different devices, problem is with my provider blocking these SMS as spam before even attempting delivery, apparently)).
[Deleted User] commented
Please allow us to disable SMS authentication and add support for static (backup) codes and the FIDO2/WebAuthn-CTAP standard. PSTN authentication methods such as text message are currently being phased out at this time due to the high amount of risk and fraud involved.
@mouse As mentioned by others: The SMS requirement is redundant and should be removed.
PLEASE get rid of the SMS requirement all together. It is by far the weakest link of the process.
Thanks for adding it, but totally useless if you still need SMS enabled as backup. Just give us backup codes which we can save more safely than what this SMS odes are. 2FA is only as strong as it weakest point.
@eonasdan totally agree. How can Twitch justify having such an insecure authentication mechanism as a backup? It's only as strong as the weakest link, and SMS authentication has *proven* to be easily foiled by social engineering mobile network providers. This isn't some theoretical attack, we've seen multiple instances of high profile people getting their accounts compromised because of SMS account recovery mechanisms.
"This is live! We are excited to announce that you can now use whatever 2fa authenticator you would like!"
As long as you don't mind also having super insecure SMS as a required backup.
What's the point then?
Still waiting on this. Simply inexcusable to have such a large platform, backed by Amazon no less, missing such a key security feature.
Can we please get this added? Amazon accounts have it...
It's insane that we can't use standard TOTP auth with any client/security device. Please enable it. Phone-based auth is insecure and I refuse to use it.
send my sms in my cellphone :) i cant enable 2FA
Or literally anything other than Authy. I hate having multiple 2FA apps on my phone. I use MSFT authenticator for 95% of my accounts except for Steam, Twitch, and my work account that requires some app nobody’s heard of. I’d prefer to use MSFT authenticator for Twitch instead of having Authy for just the one account. Ridiculous.
They aren't going to do anything regarding this, and I doubt they have even read this thread. Here's a medium article explaining how to set Twitch's 2FA for other TOTP apps.
Vote for the similar suggestion with the most votes: https://twitch.uservoice.com/forums/310228-account-management-e-g-login-connections-pass/suggestions/11498085-google-authentication-for-2-factor-authentication
Ridiculous, I don't want to use phone or authy. I have other apps that can consume 2FA tokens. It's not hard to support other apps.
It's been 4 years and NOTHING. Twitch please stop using an insecure, clunky method of 2FA and start using proven-secure 2FA industry standards.
Just +1'ing this idea. Don't care which authenticator (MSFT, Google...etc). I'm just a big fan of open security mechanisms.
After two months since I reported it to Twitch support they replied and direct me here...
$ years? OMG! Why twitch? Why no GA2FA?
And you still send me annoying mails that I logged on....just after sending me 2FAmail codes to the same e-mail address...
What logic is this?
Here twitch, read it twice https://krebsonsecurity.com/2020/07/whos-behind-wednesdays-epic-twitter-hack and review you SIM vs TOTP auth policy.
How idiotic is this? I spent a good 20 minutes digging through my account settings. I was positive that TOTP was such a basic integration into any website that the only explanation that I had for not being able to find it was simply user error and not, in fact, a mind boggingly anti-consumer and standards move on Twitch's part.
Here, Twitch. Imma break it down for you:
1) 2FA via SMS is a non-starter. SIM spoofing is too laughably simple.
2) Proprietary, closed source and cloud synchronized OTU services are a non starter. One time use codes are meant to be what you have, not what you know. Syncing codes to every device that you own is the LAST thing that a credential manager should offer to do.
3) I don't have a single online account with access to my finances that don't abide by these standards.
TLDR: No open standards from you == no money from me