An option to disable SMS authentication fallback after enabling Authy.
SMS as 2FA is well known to be the least secure of the methods available but still a better option than no 2FA at all, but I suggest an option to disable it as a fallback after having enabled Authy to lessen the security risks to the user account. You could learn from others mistakes such as Reddit's: https://arstechnica.com/information-technology/2018/08/password-breach-teaches-reddit-that-yes-phone-based-2fa-is-that-bad/
-
co_seeker commented
Man, how can they allow such a vulnerability (SMS AUTH) open in this day and age... What a clown company
-
DibsRazell commented
We really need to be able to remove sms 2fa after adding an authenticator. Right now I am still vulnerable to someone hijacking my sim even though I've added an authenticator because I want to remove that vulnerability..
-
fenglengshun commented
I still want this option - nowadays you can easily get a new SIM using an ATM-like machine which only asks for ID card and fingerprint, both of which can be bypassed with even a little bit of motivation. It just adds a point of failure in security.
SMS authentication is insecure, I'd much rather have 2FA be only available on devices I trust and tied only to those devices.
-
ketsysto commented
-
achow101 commented
I think that it is really important for Twitch to allow users to disable SMS 2FA and to have fixed backup codes like every other 2FA implementation does. SMS 2FA is not secure at all as besides the SIM jacking attack, there are other, easier and cheaper, ways that attackers can receive all SMSes for a phone number, such as the one described in this article: https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber.
Given how easy it is for an attacker to receive SMS 2FA, it is imperative for Twitch to make their 2FA system better and more secure by allowing users to disable SMS 2FA and use other 2FA methods such as FIDO U2F.
This is also important for those in the affiliate and partner programs as an attacker with access to the account settings and SMS 2FA can change the payout method and thus steal a streamer's earnings.