An option to disable SMS authentication fallback after enabling Authy.
SMS as 2FA is well known to be the least secure of the methods available but still a better option than no 2FA at all, but I suggest an option to disable it as a fallback after having enabled Authy to lessen the security risks to the user account. You could learn from others mistakes such as Reddit's: https://arstechnica.com/information-technology/2018/08/password-breach-teaches-reddit-that-yes-phone-based-2fa-is-that-bad/
Lucas
shared this idea
-
ketsysto
commented
-
achow101
commented
I think that it is really important for Twitch to allow users to disable SMS 2FA and to have fixed backup codes like every other 2FA implementation does. SMS 2FA is not secure at all as besides the SIM jacking attack, there are other, easier and cheaper, ways that attackers can receive all SMSes for a phone number, such as the one described in this article: https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber.
Given how easy it is for an attacker to receive SMS 2FA, it is imperative for Twitch to make their 2FA system better and more secure by allowing users to disable SMS 2FA and use other 2FA methods such as FIDO U2F.
This is also important for those in the affiliate and partner programs as an attacker with access to the account settings and SMS 2FA can change the payout method and thus steal a streamer's earnings.