An option to disable SMS authentication fallback after enabling Authy.

SMS as 2FA is well known to be the least secure of the methods available but still a better option than no 2FA at all, but I suggest an option to disable it as a fallback after having enabled Authy to lessen the security risks to the user account. You could learn from others mistakes such as Reddit's: https://arstechnica.com/information-technology/2018/08/password-breach-teaches-reddit-that-yes-phone-based-2fa-is-that-bad/

75 votes

Lucas shared this idea · August 03, 2018 · Flag idea as inappropriate… · Admin →

An error occurred while saving the comment

ketsysto commented · February 08, 2022 21:25 · Flag as inappropriate

Related idea https://twitch.uservoice.com/forums/310228-account-management-e-g-login-connections-pass/suggestions/42722402-stop-requiring-a-phone-number-to-set-up-2fa

Submitting...
achow101 commented · March 16, 2021 09:21 · Flag as inappropriate

I think that it is really important for Twitch to allow users to disable SMS 2FA and to have fixed backup codes like every other 2FA implementation does. SMS 2FA is not secure at all as besides the SIM jacking attack, there are other, easier and cheaper, ways that attackers can receive all SMSes for a phone number, such as the one described in this article: https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber.

Given how easy it is for an attacker to receive SMS 2FA, it is imperative for Twitch to make their 2FA system better and more secure by allowing users to disable SMS 2FA and use other 2FA methods such as FIDO U2F.

This is also important for those in the affiliate and partner programs as an attacker with access to the account settings and SMS 2FA can change the payout method and thus steal a streamer's earnings.

Submitting...

How can we improve the account management experience?