Open standard 2FA with QR codes
Could we please move away from the Authy only 2FA implementation currently used and provide standard TOTP and QR codes?
This would work much better for people who already have a stack of 2FA accounts in other solutions, remove reliance on a single application, fix issues with support (eg. Windows Phone), remove the need for a phone number (important for younger users I'd imagine) and generally increase flexibility and usability of 2FA for everyone by not locking us into a proprietary implementation.
I recently deleted my Authy account due to the recent security breach at Twilio (owner of Authy) that compromised some Authy accounts, their recent removal of backup features I relied on, and their lack of transparency in not providing any way to export tokens.
Now I'm trying to activate 2FA on Twitch, and I get an error verifying my phone number. Apparently it's because Twitch is attempting to create an Authy account with my phone number, but that account is in "Delete pending" state so it cannot be used.
So I can't do 2FA on Twitch while my Authy account is being deleted. Then, Twitch will apparently recreate my Authy account WHICH I DO NOT WANT BECAUSE AUTHY LETS HACKERS TAKE OVER USER ACCOUNTS. (ok, that's a little bit of hyperbole, but Authy is untrustworthy to me).
Please get rid of this ridiculous creation of an Authy account. I just setup TOTP 2FA on over a dozen accounts and none of them tried to create an Authy account for me. What is it about Twitch's technology that the others can do it right but Twitch can't?
So i dont have active phone service if you guys let us just scan qr code to add 2fa that would be awesome
I wholeheartedly agree. Using phone numbers for 2FA is so last century. With the arrival of SIM swapping attacks it can no longer be regarded as secure either.
Twitch, it's time to level up and switch to TOTP for 2FA like anybody else serious about security and privacy does. I may finally get to enjoy some 'verified accounts only' channels.
@darq_bot_ I suggest you seek some help. No one cares about your Twitch bot or you going to Youtube.
Have a good one.
@boosted_n I don't need to do research on things I know. It's you who should stop spreading FUD.
None of the services you mentioned *REQUIRE* 2FA, except Google.
I've been and still am a self employed developer. Systems and web also server administration. I've also been on the other side of things.
I don't use 2FA unless I'm forced to. Twitch thought it could force me to give them my phone number via 2FA a few years ago by requiring it for streaming and I stopped using it because of that. I've only recently picked it up again because the Twitch app was installed on my Android TV. I couldn't believe that people would donate money or subscribe to people essentially just streaming their life, called IRL streams. So I started watching to see how they do it. I thought, I can do that too, but I don't won't to use other people's infrastructure or services, I want to be independent, so I decided to start small and write a chat bot for starters.
I couldn't because, holy ****, Amazon wants my phone number if I want to get a Twitch oauth2 client_id.
So I came here to write this.
SWTOR forces me to do an email verification every time my ISP changes.
Twitch does that too. It's even more aggressive than EA in that regard. Every new incognito window requires email verification.
LinkedIn aka Microsoft does it.
Google does it via the phone's OTP. If Google didn't pay my check I would've removed it completely from my life.
I don't play SWTOR anymore because the 2FA annoys me.
I have had the same online banking password since the 1st time I set it in 2004, no 2FA. Never compromised.
For each new service I use I create a new password at least 16 chars long ( pwgen -s -1 -y 16), often 32 depending on the importance of the service.
I'm aware the US government has access to those passwords via Google. I see Google as the long arm of the US government. Their analytics helping to track people as they navigate the web.
I use Epic Games without 2FA, same for Steam. And for the record without installing Epic Game Services, even if they managed to trick me once to install it against my will.
My Nvidia drivers I clean them manually from telemetry and similar spyware as best I can.
However I don't use Windows to code.
The important stuff is under Linux, and the really important stuff is offline. I don't even use disk encryption.
Please don't tell me to do some research, that's akin to calling me dumb.
My track record speaks for myself.
I know that I'm not a high value target. But I will always speak my mind, even if that means I get banned from communities.
So please stop spreading FUD and disinformation. 2FA doesn't mean that sign in requests are logged.
I get that it can act as an means of protecting one's account, but in reality it's phising by those services under the false framing of improved security.
I also get that people are stupid and dumb and mistakes happen. I was doing a coding stream today and stupid me clicked on a file with this account's credentials. They were visible for a split second. I immediately stopped the stream and deleted the VOD. Because I didn't want to deal with restoring an account bound to my main email address.
Requiring 2FA for a bot is overkill and I repeat myself it's mainly used by companies to phish data about their users. Just like those security questions, the name of my 1st dog etc, are.
Just don't be stupid. That will handle 99% of all cases. If someone really wants to target you, especially government, which is rather unlikely, unless you pose an existential threat to them, they will get your data. 2FA or no 2FA.
But assuming non-governmental threat actors 2FA helps there. However it has its negative effects and its not a surefire way to protect your account.
I repeat, what if you lose the phone or change the number.
I had that happen in the case of my Amazon credit card, the number changed and just when I needed the CC service I couldn't use it because of ******* stupid booksmart people like you who drank the Kool aid and regurgitate FUD.
Have 2FA for all I care as long as it's optional.
I don't want to search for my phone every time I log in somewhere or do whatever action. Bad enough that the bank requires it from me since PSD2. And it does so because they want to enable financial products like account information services and account middleman services, which both require a yearly certificate purchase, effectively increasing earnings of those corrupt government institutions.
In any case, I digress.
I don't need to do research, I'm speaking for myself. Since 1995 not a single compromised account. I don't need yubikey or 2FA. All it does is make my life more complicated without benefit.
Amazon will not get my phone number. If they force me, I'll stop using their services. Just like now, I won't work on my Twitch chat bot and switch to YouTube, where they don't want my phone number if I want to create an oauth2
@darq_bot_ I would like to add to boosted_n's comment here. I have also been an Internet user since the so-called AOL Era.I used to claim that I have heard the modem handshake noises so often that I could actually understand their language, lol. Your/our Internet chops are not in question.
I have also never had an account compromised. I would venture to say that a majority (or at least a vast plurality) of people born before 1980 could make the same claim. There are many reasons for this, such as people in our age group being more naturally cynical and skeptical (having lived a pre-Social-Media life). Or, maybe it's just that nobody has been motivated enough to go after our accounts because we aren't important or interesting enough. Or, maybe our tie just hasn't come.
The time to make the move toward 2FA-enabled accounts is before an account is compromised. As a security professional (both physical and cyber), there is an adage much older than I am: the time to get security is before you needed it. And, there is the related adage: experience is what you get 10 seconds after you needed it.
I am not saying that your account(s) will ever be compromised. Streamers are heightened targets, as are anyone who is prolific on Social Media or otherwise can be seen to hold accounts or value (financial or otherwise). It is perfectly reasonable to employ enhanced security measures to act as a counterbalance to that phenomenon.
In our era, this "enhanced security" took the form of "your password must have both letters and numbers" and gradually got more complex from there. Some "experts" are still wallowing in this camp, now asking for 10+ character passwords with so many r3Q1remEn7$ that they've lost all meaning and don't add much (if anything) to the actual security of the account. 2FA standards have come a long way in closing that gap by adding an entirely separate second factor (your device/s) which has been shown to reliably foil any hack attempt unless the attacker can somehow acquire both the password AND access to the second device, which is nearly impossible in most cases. NOT impossible, but nearly so for all practical purposes.
With all that said, I DO agree with you that requiring a phone number is silly. SMS is not a secure protocol, and using SMS for 2FA is about as useless as early CAPTCHA designs. I do agree, however, that it's a good idea to have a backup method of authentication, such as a second separate device, a secure email account, or even SMS if there is a human verifier in the loop to prevent cleverly-designed bots.
In the end, we should be thankful that Twitch, Google, and our banks are increasingly requiring 2FA and improving their implementations. As a person from your generation, I hope you can see this point of view.
@darq_bot_ I would suggest to do some research. Would you like to have someone to be able to log into your online banking, Twitch Account, Google, and so on without you knowing? 2FA verifies that you are the correct person logging in by a second factor of authentication.
I personally use Yubico Yubikeys. Do you not use any other 2FA anywhere else? If you have been using the Internet since 1995 like you say (I have as well back when I had my 486 with Netscape Navigator (lol)) then it would be hard to believe that you do not have some sort of 2FA set up for various accounts across the Internet. If you do not, you are simply open for an attack.
Various services REQUIRE 2FA. Steam, EpicGames, Apple, Google, etc, they all require it. If you do not have it turned on, or purposely disabled it, don't come crying to anyone that you account got compromised.
It's for your protection, not anyone else's.
The whole 2FA thing is nonsensical to begin with.
I've used the Internet since 1995. I don't have 2FA anywhere.
I have not once had any of my accounts compromised.
Why does creating an app aka oauth client require a phone number? You already have my email, you see me stream, Why do I need a phone number? What when I lose the phone or change the phone number?
Don't require 2FA.
For people looking through this, it is possible, albeit frustrating, to use any TOTP manager where you are able to enter the secret key. Use a QR code scanner to grab the long secret key and type it into the TOTP manager.
It would be awesome for twitch to provide the secret key in text format though, it really is a pain.
I really dislike twitch creating an Authy account on my behalf. I've tried to use 2FA with twitch a few times over the years and every time I end up with an Authy account that I have to go through a ~30 day procedure to delete it. I'd rather not tie my 2FA completely to my phone number.
Please just let us use TOTP without Authy.
I'd like to warn everyone with my experience around this. Even though Twitch now allows you to use other authenticators, you CANNOT DELETE your Authy account that they created for you. It will result in you no longer receiving valid 2FA codes in whichever other app you chose to use. Twitch Support will not help you get back into your account.
(I've got an email)
Since the idea with Uservoice is to gather as many votes as possible on one suggestion, maybe those who voted for this should move their votes over to the one linked below as it has way more votes? I know it only asks for support for Google Authenticator but supporting GA would at least mean support for standard 2FA which can be used with your choice of 2FA app instead of being forced to use Authy.
I have already have TOTP and U2F/FIDO devices. Installing Authy is not an option. Since I cannot secure my account with open 2FA standards used by the rest of the Internet, I do not feel confident in transacting money through Twitch to support my friends who immigrated from Mixer.
Seeing as Twitch is literally the only reason I even have an account with Authy, and their app on my phone, I indeed support this. I'd like to just be able to use Google's Authentication.
I mean, even the main Amazon site allows me to do that.
Hi, my name is Joaquin an im a user of Twitch by web site, iPhone app and a Android TV app. My problem is when i get out some days from Android TV, my session expires, so when i try to login again, a message showsn that i have to enter in a website and activate de code on screen, but i dont have a pc nearby which i was log in to activate the code... and i dont have log in on iphone web browsers neither. So, it could be fixed by extendind Android TV session as lons as iPhone app session (infinite) or well provide a option on iPhone app whitch allow to scan a QR code in the AndroidTV app show. It will be so much easer to login in AndroidTV with my iPhone app account in a safe way. I believe you have to reach with the developing sofware team. If any part of this message doesn’t undestend, im able to be contacted by mail or skype to explan better to a sofware engeering or a product designer... i hope that new feature to log in safer and easily soon. Thanks you so much.
Absolutely. TOTP would let people use applications they already trust, like Google Authenticator. If they use password managers that support TOTP like 1Password, they don't have to use two applications to authenticate. Using non-standard 2FA makes users more dependent on your third-party provider, a relative nonentity who seems to think association with cryptocurrencies makes them look more trustworthy and not dodgy af. (In its most charitable reading, this calls their marketing competence into question.)
I tend to use 2FA everywhere, but honestly, I'm concerned that Authy, in particular, makes me less secure than 1FA using a long, unique password from my password manager. It gives me new risks to manage, and no real information to help me quantify that risk. (The guilt-by-association wrt cryptocurrencies is suggestive and concerning; nothing is objective and mitigating.)
I'm staying away from your 2FA solution for those reasons. Use standard TOTP, let me choose my provider, and I'm on it like a shot. (Or add FIDO/U2F so I can use my Yubikey.)
I recently had to deal with Authy's terrible customer service. One week in, and my case is still ongoing. I really hope that Twitch can ditch these clowns and use the standard TOTP method for two factor authentication. Or at least allow it in place of Authy.
+3 and please vote for the similar wishes too: