The iOS app has this annoying habit of logging me out of the app seemingly at random, and with no input at all on any other device. This is very disruptive as I have 2FA set up on my account, and to log in I have to both provide my password and an auth code that may/may not be easy to get to depending on whether I have my auth code generator to hand.

The iOS app never used to randomly log out, so the question is why is it doing it now. I'm aware of the "30 days" feature but it'll often log out well before the 30 days are up.

First of all, good job on implementing non-Authy, non-SMS 2FA!

That being said, there's still a major hole in your 2FA implementation, and that's requiring a user to set up SMS authentication before they can set up other forms of 2FA. Unless I've missed something huge, whenever I try to set up 2FA on Twitch, I get directed to put in my phone number first. There's no prompt I can use to skip this step.

This is completely counter to how a lot of other sites do 2FA, where SMS authentication is an option, not a requirement. You can completely ignore SMS authentication and just use a standard TOTP code to set up Google Authenticator, etc. I would like to see Twitch adopt this practice as well: instead of requiring us to put in our phone number first, please just give us a list of 2FA options and let us pick a method without requiring the others. Or at least give us the option to set up SMS, set up an alternate 2FA method, and then remove SMS afterwards.

Not requiring SMS is important for several reasons:

• It's one of the most insecure forms of 2FA. Relatively speaking, it's significantly easier to intercept a SMS or gain control of someone's number than it is to crack a TOTP token. (See this article for examples: https://arstechnica.com/information-technology/2018/08/password-breach-teaches-reddit-that-yes-phone-based-2fa-is-that-bad/) Requiring SMS means that everyone's account now has that "weakest link," even if they use a TOTP app.

• Not everyone is comfortable giving their phone number to Twitch. Phone numbers are used for all sorts of things these days, including sensitive accounts. Some people just might maintain a strict online/offline life separation, and are wary of their phone number being leaked. Even if Twitch never intentionally reveals SMS authentication numbers to the public, hacks can and do happen.

• Not everyone has a phone, or has a phone capable of receiving text messages, or a permanent phone number, or a phone that's recognized by Twitch as legitimate... Some people are still on landline for financial reasons. Some people are using small, alternative carriers like Republic Wireless or Google Fi, which get flagged as VoIPs. (Which Twitch does not allow for SMS authentication, despite those numbers being able to receive text messages.) The possibilities go on and on.

I'm sure there are many other reasons why requiring SMS authentication is a bad idea. I'm not asking for it to be removed entirely, but we should at least have the option of NOT using it.

Thanks for reading, and do correct me if this option already exists and I somehow missed it.

(See also: https://twitch.uservoice.com/forums/310228-account-management-e-g-login-connections-pass/suggestions/35025769-an-option-to-disable-sms-authentication-fallback-a)

There are a host of problems on Twitch and I feel as though this idea could be a solution to some of the bigger ones.

I suggest giving streamers the option to only allow accounts with 2fa to access their channel. Make it an option for the individual streamer and make it toggleable.

In order for this to work, Twitch must do more than just “not allow the user to use chat.” Twitch needs to stop them from accessing the streamer’s channel all together. The same needs to be done for users who are banned/blocked but that is a whole other discussion.

There should also be a way to have this feature enabled, but with a customizable exemption list so that streamers can still allow their nightbots, moobots, etc access.

As someone who has faced harassment from a person viewbotting me for 10 months now, this is one of the only solutions I can think of to combat this. By only allowing accounts connected to a phone number to access my page, I would no longer be harassed this way.

It would also eliminate the problem of people constantly harassing with alternate accounts.

It would also be a good option for when someone is playing a new game and wants to stop people from using alt accounts to spoil.

These are just a few benefits I could see coming out of this!

Please Twitch, it is time to do more to protect your creators. As someone whose issues have been constantly pushed aside, I ask that you consider this solution not just for me, but for every streamer that’s faced harassment as I have.

Many streamers are currently being flooded by bots. There are no adequate filter mechanisms such as Captcha or other authentication methods that probe the creation of multiple fake accounts.

Twitch should use a secure authentication method for account creation as soon as possible so that so-called bot accounts and fake accounts can no longer be created in the future.

These bots make it unnecessarily difficult for honest streamers to apply for a partnership. In addition, it is almost impossible for streamers to prove that they have not bought or deliberately used any bots such as follower bots.

Dear community, please share this suggestion as best you can so that Twitch takes active and timely action against the urgent problem of bot attacks.

i lost my phone and needed to make a new authy account. idk my old number but i do know my email adress. so i changed the number hooked it up to my email adress thinking everything is fine. when i go to twitch to try to change the place it sends authy number codes for verification it wants to go straight to an sms number to the other phone i dont have.
also when it tells me to connect a new account (twitch) using the authy app
all it does is tell me to scan a qr code or use the code given to me , i didnt recieve either of these things. now im stuck with 2fa enabled and nothing i can do about it. theres gotta be a way to just get an email to undo this mess

I'd like to see the 2nd login factor (via email, as i never activated 2FA) configurable somewhere.

Background: the surveillance capitalists force me to surf in private windows only to keep my footprint low and that means, that no cookies are saved or even shared between browser tabs. Thus i need to enter a "security" code sent via postcard through the internet (that's exactly my humor...) WITH EVERY **** LOGIN!

Sorry guys, that's not security, it's just to annoy users like me with no real benefit. I know how to use and keep a good password. So let me have my self-responsibility to decide whether the password alone is safe enough to log in or not. I am grown up!