Now that Twitch has enabled streamers to require phone number verification to use their chat, I and many others have had to add a verified mobile number to my account. The problem, however, is I can now reset my password via SMS, which I did not ask for. This is especially problematic because Twitch's 2FA solution can also be bypassed via a phone number that's required to set up 2FA at all, even if the user has a secure authenticator app, meaning an attacker with access to the user's phone number can defeat both factors. Twitch just suffered a data leak, and presumably the names and numbers of high profile streamers are now public record, which makes a SIM swap attack highly effective. This is a major security problem and there needs to be a way to opt out.