Stop requiring a phone number to set up 2FA.
First of all, good job on implementing non-Authy, non-SMS 2FA!
That being said, there's still a major hole in your 2FA implementation, and that's requiring a user to set up SMS authentication before they can set up other forms of 2FA. Unless I've missed something huge, whenever I try to set up 2FA on Twitch, I get directed to put in my phone number first. There's no prompt I can use to skip this step.
This is completely counter to how a lot of other sites do 2FA, where SMS authentication is an option, not a requirement. You can completely ignore SMS authentication and just use a standard TOTP code to set up Google Authenticator, etc. I would like to see Twitch adopt this practice as well: instead of requiring us to put in our phone number first, please just give us a list of 2FA options and let us pick a method without requiring the others. Or at least give us the option to set up SMS, set up an alternate 2FA method, and then remove SMS afterwards.
Not requiring SMS is important for several reasons:
It's one of the most insecure forms of 2FA. Relatively speaking, it's significantly easier to intercept a SMS or gain control of someone's number than it is to crack a TOTP token. (See this article for examples: https://arstechnica.com/information-technology/2018/08/password-breach-teaches-reddit-that-yes-phone-based-2fa-is-that-bad/) Requiring SMS means that everyone's account now has that "weakest link," even if they use a TOTP app.
Not everyone is comfortable giving their phone number to Twitch. Phone numbers are used for all sorts of things these days, including sensitive accounts. Some people just might maintain a strict online/offline life separation, and are wary of their phone number being leaked. Even if Twitch never intentionally reveals SMS authentication numbers to the public, hacks can and do happen.
Not everyone has a phone, or has a phone capable of receiving text messages, or a permanent phone number, or a phone that's recognized by Twitch as legitimate... Some people are still on landline for financial reasons. Some people are using small, alternative carriers like Republic Wireless or Google Fi, which get flagged as VoIPs. (Which Twitch does not allow for SMS authentication, despite those numbers being able to receive text messages.) The possibilities go on and on.
I'm sure there are many other reasons why requiring SMS authentication is a bad idea. I'm not asking for it to be removed entirely, but we should at least have the option of NOT using it.
Thanks for reading, and do correct me if this option already exists and I somehow missed it.
-
AJCxZ0 commented
In every "Your Twitch Account - Successful Log-in" email:
> We also encourage you to opt-in to receive your security codes via the Authy app.
On the "Contact Us" page:
> We recommend that you install the Authy mobile app...
On the "Setting up Two-Factor Authentication (2FA)" page:
> Note: On March 19th, 2024, the Authy desktop app will be shut down
As a bonus on the "Contact Us" page:
> Email address to send a response to
> [ my.Twitch@email.address ]
> Your entry does not match the allowed pattern. -
DevAnima commented
I'm locked out of my twitch account because Twitch refuses to send me the 2FA SMS. Their support suggested I contact Authy and/or install the app and use that to log in. I installed Authy on my phone and it just says "This device does not meet minimum integrity requirements" and refuses to work, but I have Google Authenticator on it which works perfectly. I contacted Authy support, and they are suggesting I install the app or contact twitch for help. They have created a nice cycle of actually not doing ****. I used Authy to even change my phone number which they did and had to identify me which required them to send me an SMS code to my previous phone number that was registered on Twitch but on which Twitch was somehow failing to send the same kind of SMS code to let me log in, and even with this new number I still can't log in because again Twitch is not sending the SMS codes. I have asked Authy support to delete my Authy account and if deleting it will remove the 2FA requirement from Twitch and allow me to log in without the need of an SMS code, and they said they aren't sure. Then WHO THE **** ELSE should know this if not the side that handles the 2FA for Twitch? And all twitch support does is it recommends me install Authy or contact them for support. This system was designed by morons.
-
deathau commented
> Known 2FA SMS issue
> We are aware of the current 2FA SMS delivery issue that is affecting some users, and are already working on a fix. In the meantime, If you have 2FA enabled on your account and cannot sign in, we recommend installing the Authy app for a temporary fix.Hah. I can't even sign up for 2FA right now because of the SMS being a requirement and that service is down. If I could just set up a TOTP without needing an SMS, I wouldn't have an issue.
-
SorennicX commented
yea 2fa from phone sms messages as being the 1st of step of setting up 2fa is not a good implementation of 2fa in general. Additionally, authy recently was compromised again
-
YoshiRulz commented
Anyone who still has Authy's online* 2FA set up (which used to be mandatory for streamers) is now the victim of a data leak, opening the door for targeted SMS spoofing attacks.
https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS
Now can we get any kind of response to this thread? Or will we have to wait until streamers start getting locked out?* Apparently Authy has or had an offline/interoperable mode too, but of course Twitch never allowed it.
-
hexaheximal commented
Forgot to mention this earlier, but I made a blog post on this problem which explains *why* their implementation is bad too: https://hexaheximal.com/blog/lets-play-the-2fa-games-twitch
Spread the word ;)
-
Cynthic commented
This needs to be fixed, I'd like to whisper on the platform, but am never giving twitch my phone number. If anything they are just broadening out the annoying factor and the lack of action regarding its INsecurity just lets us all know that this is just about getting our phone numbers for them to give them out and charge others for access, or try to market things to us unsolicited.
-
whoisrysen commented
Bumping this too. I'm already a paying customer. Why do I still need to prove anything with my phone number? We all know the moderation argument is a cop-out and those numbers are fast-tracked to data-brokers. I'm a person, Twitch, not a commodity and I won't be treated like one.
-
IntrepidJoseph commented
I have someone's "old" number and now i can't become a verified user due to the fact the "old" phone number is assigned to some random person. I currently got a new phone number.
-
asynchronous_awaiter commented
After creating a Twitch account, I'm completely baffled by the lack of interest from Twitch in this issue. I'm sure a lot of people can't or won't want to supply their phone number for privacy reasons, and this causes them to be unable to fully secure their account. Especially in 2024, where TOTP *without* SMS is the default (and SMS 2FA is inherently insecure), it's insane to think a platform as big as Twitch just doesn't care about the security of the accounts of users on its platform.
Twitch, if you're reading this: it's time to wake up and take action before it's too late and you'll be forced into putting out fires with a PR nightmare and lasting distrust by the very users you don't seem to care about protecting.
-
Fre3xec commented
The corporate world is run by liars who are lying to you about why they want your phone number. The customers are never going to get what they want here and they should start their own streaming site if they want control.
-
VoidTransmits commented
Very few places I use anything but TOTP. And for a monetizing platform as large as this? I feel like it should be mandatory to allow this. Even Star Citizen, Rockstar Games, Plex, and other streaming platforms which are really niche only use TOTP. Theres no excuse for this in 2024
-
Inglonias commented
I don't think this idea will be acted upon until a need is demonstrated. Trouble is, with security issues, by the time the need is demonstrated, someone will have gotten hurt.
I want to be clear that I do not condone such actions. I'm just fairly convinced that's how this would go down.
-
hexaheximal commented
I don't actually have a phone, which makes this even more annoying. I have always just used desktop linux...
-
EnglishInfix commented
This issue has been open for 3 years now and no action has yet been taken, even though SMS two factor authentication is no longer recommended by many security standards organizations such as NIST, who published their recommendation to phase out SMS two factor codes in the long ago year 2016. It is abundantly clear from the lack of action that Twitch does not care about the security and safety of their content creators, a group of people who are at an extremely increased risk of individual directed attacks that can be effectively mitigated by properly implemented authentication policies.
-
xendyex commented
this is needed, as i use TOTP for all my authentication and just having to use SMS for twitch gets... annoying.
-
woodland_cat commented
How is this issue 3 years old and Twitch hasn't done anything about it? I didn't even realize Twitch made an Authy account with my phone number when I was trying to set up Twitch to work with my TOTP app. Twitch is the only service that uses this nonsense system, and it makes Twitch accounts less secure as a result.
-
jamesanderson0345 commented
Always put your strongest foot first - but I understand some flexibility is needed. So rather picking one of the other to be mandatory, just allow the user to use either or - and in fact, perhaps a little message mentioning 2FA apps are actually the more preferred.
https://topfollowapkapp.com/ -
M00seBag commented
This is the second most voted on suggestion in the account category. How can it sit here for three years without being addressed in any way? There are literally zero legitimate reasons to need a phone number for this process.
-
quiet_geek commented
If this were about forcing telephone verification for the account, I might understand this (disagree with the methodology, but I can understand thought processes that might lead to that.) After all, being able to limit account chatting based on verification criteria is a generally useful feature.
Except the account phone number can be set entirely separately to the 2FA (or even left unset.) So I'm honestly really confused about why this is set up to operate this way, especially given all the security implications highlighted.