Stop requiring a phone number to set up 2FA.
First of all, good job on implementing non-Authy, non-SMS 2FA!
That being said, there's still a major hole in your 2FA implementation, and that's requiring a user to set up SMS authentication before they can set up other forms of 2FA. Unless I've missed something huge, whenever I try to set up 2FA on Twitch, I get directed to put in my phone number first. There's no prompt I can use to skip this step.
This is completely counter to how a lot of other sites do 2FA, where SMS authentication is an option, not a requirement. You can completely ignore SMS authentication and just use a standard TOTP code to set up Google Authenticator, etc. I would like to see Twitch adopt this practice as well: instead of requiring us to put in our phone number first, please just give us a list of 2FA options and let us pick a method without requiring the others. Or at least give us the option to set up SMS, set up an alternate 2FA method, and then remove SMS afterwards.
Not requiring SMS is important for several reasons:
It's one of the most insecure forms of 2FA. Relatively speaking, it's significantly easier to intercept a SMS or gain control of someone's number than it is to crack a TOTP token. (See this article for examples: https://arstechnica.com/information-technology/2018/08/password-breach-teaches-reddit-that-yes-phone-based-2fa-is-that-bad/) Requiring SMS means that everyone's account now has that "weakest link," even if they use a TOTP app.
Not everyone is comfortable giving their phone number to Twitch. Phone numbers are used for all sorts of things these days, including sensitive accounts. Some people just might maintain a strict online/offline life separation, and are wary of their phone number being leaked. Even if Twitch never intentionally reveals SMS authentication numbers to the public, hacks can and do happen.
Not everyone has a phone, or has a phone capable of receiving text messages, or a permanent phone number, or a phone that's recognized by Twitch as legitimate... Some people are still on landline for financial reasons. Some people are using small, alternative carriers like Republic Wireless or Google Fi, which get flagged as VoIPs. (Which Twitch does not allow for SMS authentication, despite those numbers being able to receive text messages.) The possibilities go on and on.
I'm sure there are many other reasons why requiring SMS authentication is a bad idea. I'm not asking for it to be removed entirely, but we should at least have the option of NOT using it.
Thanks for reading, and do correct me if this option already exists and I somehow missed it.
-
VoidTransmits commented
Very few places I use anything but TOTP. And for a monetizing platform as large as this? I feel like it should be mandatory to allow this. Even Star Citizen, Rockstar Games, Plex, and other streaming platforms which are really niche only use TOTP. Theres no excuse for this in 2024
-
Inglonias commented
I don't think this idea will be acted upon until a need is demonstrated. Trouble is, with security issues, by the time the need is demonstrated, someone will have gotten hurt.
I want to be clear that I do not condone such actions. I'm just fairly convinced that's how this would go down.
-
hexaheximal commented
I don't actually have a phone, which makes this even more annoying. I have always just used desktop linux...
-
EnglishInfix commented
This issue has been open for 3 years now and no action has yet been taken, even though SMS two factor authentication is no longer recommended by many security standards organizations such as NIST, who published their recommendation to phase out SMS two factor codes in the long ago year 2016. It is abundantly clear from the lack of action that Twitch does not care about the security and safety of their content creators, a group of people who are at an extremely increased risk of individual directed attacks that can be effectively mitigated by properly implemented authentication policies.
-
xendyex commented
this is needed, as i use TOTP for all my authentication and just having to use SMS for twitch gets... annoying.
-
woodland_cat commented
How is this issue 3 years old and Twitch hasn't done anything about it? I didn't even realize Twitch made an Authy account with my phone number when I was trying to set up Twitch to work with my TOTP app. Twitch is the only service that uses this nonsense system, and it makes Twitch accounts less secure as a result.
-
jamesanderson0345 commented
Always put your strongest foot first - but I understand some flexibility is needed. So rather picking one of the other to be mandatory, just allow the user to use either or - and in fact, perhaps a little message mentioning 2FA apps are actually the more preferred.
https://topfollowapkapp.com/ -
M00seBag commented
This is the second most voted on suggestion in the account category. How can it sit here for three years without being addressed in any way? There are literally zero legitimate reasons to need a phone number for this process.
-
quiet_geek commented
If this were about forcing telephone verification for the account, I might understand this (disagree with the methodology, but I can understand thought processes that might lead to that.) After all, being able to limit account chatting based on verification criteria is a generally useful feature.
Except the account phone number can be set entirely separately to the 2FA (or even left unset.) So I'm honestly really confused about why this is set up to operate this way, especially given all the security implications highlighted.
-
VladimirTepesDracul commented
Rather than SMS, Allow it to be linked to Authenticator apps or via email. This way if we change numbers or have an issue, we have a more secure way to access our accounts.
-
IZeroOneI commented
It is well known that SMS is more insecure than conventional 2FA Algorithms.
This should not be a requirement for High Profile Indivuduals like Streamers.
If Twitch feels like it *has* to aquire phone numbers, at least allow Users to disable SMS 2FA in favour of more secure options. -
Knycrotic commented
this is so insane that you need a phone when SMS is the worst of all 2FA and your team should know this
-
Danukeru commented
@dgw_
Twitch's parent company already handles most of the world's payment information. I think there's no better option than Amazon when it comes to a track record at that scale.
This resolves why they would keep SMS verification in the first place.As for Affiliates and Partners: they already have their full banking information.
Your argument is moot.
-
dgw_ commented
@Danukeru Requiring payment information is a risk level higher than Twitch holding just a phone number. The idea is to *reduce* risk of information leakage and account takeovers, not increase risk of identity theft.
-
Danukeru commented
While I am aware that your application security team is very much in the know with regards to the risks of sim swapping, I have to now consider that SMS verification is kept in the hope that there is an actual human registering with a telecom provider.
However I have seen examples of many VOIP providers that have started providing SMS support while also being impossible to discern from PSTN lines.
Mostly due to VoLTE backends becoming the norm as providers look to reduce costs.While these are generally much less vulnerable to SIM swap due to these providers having their own multifactor and no human in the loop to exploit, not everyone has the technical expertise to set these up, and defeats your current intended purpose.
Perhaps your billing department should look into encouraging a natural purchase path in the 5$ range on the part of a new user similar to Steam accounts. A reduced rate turbo perhaps?
The CC information would do better to limit spam accounts.
-
AlphaSendauri commented
The fact that one of the large corporations in the world REQUIRES users to enable plain text unencrypted sms 2fa is the most frustrating blunders ive ever seen. Are these people literally stupid or just willfully ignorant? How the F U C K is this still an issue 3 years later?
-
alanblip commented
The Twitch FAQ for 2FA states: "When you set up Two-Factor Authentication on your account, an Authy account is automatically created for you even if you choose to actively use an alternative authentication app."
Talk about insecure! Twilio, the owner of Authy, suffered a breach recently that exposed some user's Authy data. Twitch is forcing its 2FA users to have an unnecessary account at a 3rd party site that's known to have suffered data breaches. I closed my Authy account recently, and now Twitch wants to reopen it for me. Ridiculous!
Requiring an Authy account "behind the scenes" is entirely unnecessary and reduces account security. It increases attack surface by putting my data on a website I have no control over and didn't agree to. Every other website I use where I've setup TOTP 2FA does so without requiring my phone number to create an Authy account for me. There is no sane reason for Twitch to do it this way.
-
ArcanicFlame commented
All i want for Christmas
-
Spiritsmaker commented
The insecurity of SMS for 2FA is being widely discussed again and again over the years. Although a regular viewer might not be of high value to be a target of an attack, the streamers on the platform definitely are.
As such, it is a strange choice on Twitch's policy which forces an inferior and insecure form of 2FA on them over other choices by default.
It would help a lot to see it be not be the case anymore and give a free choice to the users.
-
Purplezorz commented
Always put your strongest foot first - but I understand some flexibility is needed. So rather picking one of the other to be mandatory, just allow the user to use either or - and in fact, perhaps a little message mentioning 2FA apps are actually the more preferred.
That way, if people want to use SMS 2FA (even exclusively), they still have the choice to, but the more security conscious (or just those with a different opinion) can choose 2FA apps to be their primary or exclusive option.