Stop requiring a phone number to set up 2FA.
First of all, good job on implementing non-Authy, non-SMS 2FA!
That being said, there's still a major hole in your 2FA implementation, and that's requiring a user to set up SMS authentication before they can set up other forms of 2FA. Unless I've missed something huge, whenever I try to set up 2FA on Twitch, I get directed to put in my phone number first. There's no prompt I can use to skip this step.
This is completely counter to how a lot of other sites do 2FA, where SMS authentication is an option, not a requirement. You can completely ignore SMS authentication and just use a standard TOTP code to set up Google Authenticator, etc. I would like to see Twitch adopt this practice as well: instead of requiring us to put in our phone number first, please just give us a list of 2FA options and let us pick a method without requiring the others. Or at least give us the option to set up SMS, set up an alternate 2FA method, and then remove SMS afterwards.
Not requiring SMS is important for several reasons:
It's one of the most insecure forms of 2FA. Relatively speaking, it's significantly easier to intercept a SMS or gain control of someone's number than it is to crack a TOTP token. (See this article for examples: https://arstechnica.com/information-technology/2018/08/password-breach-teaches-reddit-that-yes-phone-based-2fa-is-that-bad/) Requiring SMS means that everyone's account now has that "weakest link," even if they use a TOTP app.
Not everyone is comfortable giving their phone number to Twitch. Phone numbers are used for all sorts of things these days, including sensitive accounts. Some people just might maintain a strict online/offline life separation, and are wary of their phone number being leaked. Even if Twitch never intentionally reveals SMS authentication numbers to the public, hacks can and do happen.
Not everyone has a phone, or has a phone capable of receiving text messages, or a permanent phone number, or a phone that's recognized by Twitch as legitimate... Some people are still on landline for financial reasons. Some people are using small, alternative carriers like Republic Wireless or Google Fi, which get flagged as VoIPs. (Which Twitch does not allow for SMS authentication, despite those numbers being able to receive text messages.) The possibilities go on and on.
I'm sure there are many other reasons why requiring SMS authentication is a bad idea. I'm not asking for it to be removed entirely, but we should at least have the option of NOT using it.
Thanks for reading, and do correct me if this option already exists and I somehow missed it.

-
darknase commented
Giving out a phone number to get 2FA (or in general) is a no-no.
Aside from that SMS-TAN is considered broken since at least 2016 by NIST [1], going back till 2005 [2]
to [1]:
"Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service."
It's a GDPR privacy concern, you DO NOT NEED to know a phone number to authenticate a person.
You already have a way to communicate, send a one time code via eMail. But even that is isn't a required, because setting up the 2FA is easily done via a scanable QR code that's issued for the user once - i.e. changes on repeat - when the user enables the 2FA on a dedicated - i.e. not constant part of the user profile - page.
You don't like the eMail OTP solution because interception or plain text, well then set up a public PGP key dedicated to the 2FA setup, freely available on your site and on a PGP key server. Still can do a challenge-answer implementation before accepting users public key into your system.
[1] https://pages.nist.gov/800-63-3/sp800-63b.html
[2] https://www.schneier.com/crypto-gram/archives/2005/0515.html#16
"Comments from Readers" - "Subject: Two-Channel Authentication with Cell Phones and SMS" -
Impennis commented
Come on Twitch. Stop collecting unnecessary user data!
Everyone before me who stated requiring SMS validation for setting up 2FA TOTP is horse dung is 110% right.
Especially since you keep nagging users to secure their accounts, which I'm absolutely willing to do, you should make it as painless as possible. That means not bothering users for their private phone number. For my part you will not get it. TOTP, WebAuthn or nothing.
It's unbelievable that a company as big as Twitch, right in the middle of big tech fails to understand basic privacy and security concerns of their users.
-
Yang05051 commented
Strongly agree with you! SMS is only an option, not a requirement.
-
YoshiRulz commented
Almost 2 years and no change. WebAuthn is the way, and a company as big as Amazon should be offering it everywhere.
-
kevinsky86 commented
Requiring a phone number to set up a TOTP app makes no sense. Stop this.
SMS verification has been frowned upon for many years now in security circles and should be completely disabled.
TOTP two factor verification is something you should just be able to enable without giving Twitch any additional information. -
darq_bot_ commented
I agree. I was trying to write a Twitch chat bot, but now I need to give away my phone number to set up 2FA. This will not happen. As a result Twitch is more unattractive. My channel will remain plain without any advantages or custom chat functionality. It will not be able to separate itself from other channels, to stand out.
Youtube is a more interesting platform for streaming because of that.
-
kenjinmelle commented
To add onto the point issues:
If you get a new number and someone has already connected it to their account (meaning you got a previously used number), Twitch won't give your the number that is now yours.Meaning anything they roll out that requires a phone number? You're SOL.
-
Stunseed commented
I still have to log in to my account every single time with an email 6 digit code. Seems a lil counter intuitive how 2FA can't do this. How is it good enough to get an email for this code but can't use 2fa for this same system. When I say Everytime I mean literally every single time I log in to twitch I have to authorize..this works great! Now only if 2fa could do it too.
-
FALANJI commented
I agree with this idea. It's very boring to just receive SMS messages with a code. It could make not only the possibility of 2FA, but also the possibility of scanning a barcode when logging in, as is the case with Discord login.
-
Nuklearraver commented
Given the proliferation of SIM hacking, you'd think OTP would be the default and SMS would be optional, even discouraged! I'm probably just going to close my Twitch account until OTP-only support is added.
-
CraigB63 commented
I need to stop following this thread.
The thread about not using phone numbers as a privacy requirement was merged with the unrelated thread about not using phone numbers for (additional) authentication.
There's a school of thought that phone numbers are secure, that phone numbers are unique over extended time periods, and that every person has secure access to a private number. All of these are demonstrably incorrect but it appears the vendors are intentionally ignoring that. You'd assume this is to avoid spending on alternative implementations.
Best of luck y'all
-
foxikira commented
It is still crazy that twitch still requires a phone number to enable 2FA. Even if you are doing that allow people to disable SMS based verification after adding a TOTP app. I am not comfortable with using Authy and you forcefully create an Authy account once I enable 2FA. I just want to use a TOTP app alone without SMS and I am okay with losing acccess if lose access to my TOTP app since that is the whole point.
-
CraigB63 commented
The fact that twitch merged their identity grab where they tried to force users to verify with a phone number, with this job, that is about 2FA, shows that whoever is managing it doesn't even understand the problem.
-
ROBINBJK commented
I am about to loose myself, I can't use my phone number that I always used on this twitch account to verify my account. for some reason it has removed my number from my twitch account and now no matter how many times i tried to add my number back it always gives an error '' error is : Unable to send SMS because phone number is disabled for reuse, please use a different phone number option '' . I have no other phone number to use but i tried my wife;s and still could not verify it. I am an affiliated Twitch streamer but now i can't text on some of my fellow streamers chat because they have two factor phone verification requirements on their channel's and it is so annoying. i need help asap please !!!
-
haddos_ commented
This could also be linked to this issue https://twitch.uservoice.com/forums/933812-safety/suggestions/44254764-do-not-require-a-phone-number-to-be-a-verified-acc
I don't have 2FA because you require (again) a phone number before being able to setting a standard TOTP app (like FreeOTP on Android, not talking about Google Authentificator).
This, plus the verified account issue makes me think you really want users to give you their phone numbers :)
-
dirtyjester1 commented
Looks like my account is back to normal now too, I just had to wait a little bit longer.
-
CraigB63 commented
@dirtyjester1 .. yes I saw this and found that I could chat again. People were asking where I'd been. Experiment is over? Nobody from twitch bothered to contact me or explain anything. Perhaps they might comment in this thread and let us know /hint/.
-
dirtyjester1 commented
I've seen some people reporting in other threads that the issue has been resolved for them. I't still present for me. Any change for anyone else here?
-
lachryphagous commented
Phone number verification is just a security breach waiting to happen. I have 2FA on my computer which feels much safer, but as soon as I test burner numbers I have the option to get the authentication token from SMS.
Get your phone stolen and also your Twitch account in the process.
And that's just pretending this is a "security" thing like the settings pretend to be and not another profiling layer to create a more complete data sheet on the user.
I wouldn't even be that upset if they pushed creator sided phone verification for some privileges because I'm sure I'd still be able to interact *somewhere* but this is so silly right now.
You can create a dozen of dummy accounts with temporary e-mails which makes my old, authenticated, 2FA enabled account feel less valuable than phishing bots.
-
CraigB63 commented
So far it's been what? Six weeks. Does anyone know of any official word on this, or any avenue to get some traction toward resolving this? I may have to get a life out in the real world.
Also, Support is totally ghosting me, is that happening to you/others as well?