Stop requiring a phone number to set up 2FA.
First of all, good job on implementing non-Authy, non-SMS 2FA!
That being said, there's still a major hole in your 2FA implementation, and that's requiring a user to set up SMS authentication before they can set up other forms of 2FA. Unless I've missed something huge, whenever I try to set up 2FA on Twitch, I get directed to put in my phone number first. There's no prompt I can use to skip this step.
This is completely counter to how a lot of other sites do 2FA, where SMS authentication is an option, not a requirement. You can completely ignore SMS authentication and just use a standard TOTP code to set up Google Authenticator, etc. I would like to see Twitch adopt this practice as well: instead of requiring us to put in our phone number first, please just give us a list of 2FA options and let us pick a method without requiring the others. Or at least give us the option to set up SMS, set up an alternate 2FA method, and then remove SMS afterwards.
Not requiring SMS is important for several reasons:
It's one of the most insecure forms of 2FA. Relatively speaking, it's significantly easier to intercept a SMS or gain control of someone's number than it is to crack a TOTP token. (See this article for examples: https://arstechnica.com/information-technology/2018/08/password-breach-teaches-reddit-that-yes-phone-based-2fa-is-that-bad/) Requiring SMS means that everyone's account now has that "weakest link," even if they use a TOTP app.
Not everyone is comfortable giving their phone number to Twitch. Phone numbers are used for all sorts of things these days, including sensitive accounts. Some people just might maintain a strict online/offline life separation, and are wary of their phone number being leaked. Even if Twitch never intentionally reveals SMS authentication numbers to the public, hacks can and do happen.
Not everyone has a phone, or has a phone capable of receiving text messages, or a permanent phone number, or a phone that's recognized by Twitch as legitimate... Some people are still on landline for financial reasons. Some people are using small, alternative carriers like Republic Wireless or Google Fi, which get flagged as VoIPs. (Which Twitch does not allow for SMS authentication, despite those numbers being able to receive text messages.) The possibilities go on and on.
I'm sure there are many other reasons why requiring SMS authentication is a bad idea. I'm not asking for it to be removed entirely, but we should at least have the option of NOT using it.
Thanks for reading, and do correct me if this option already exists and I somehow missed it.
NinethLions
shared this idea
-
haddos_
commented
This could also be linked to this issue https://twitch.uservoice.com/forums/933812-safety/suggestions/44254764-do-not-require-a-phone-number-to-be-a-verified-acc
I don't have 2FA because you require (again) a phone number before being able to setting a standard TOTP app (like FreeOTP on Android, not talking about Google Authentificator).
This, plus the verified account issue makes me think you really want users to give you their phone numbers :)
-
dirtyjester1
commented
Looks like my account is back to normal now too, I just had to wait a little bit longer.
-
CraigB63
commented
@dirtyjester1 .. yes I saw this and found that I could chat again. People were asking where I'd been. Experiment is over? Nobody from twitch bothered to contact me or explain anything. Perhaps they might comment in this thread and let us know /hint/.
-
dirtyjester1
commented
I've seen some people reporting in other threads that the issue has been resolved for them. I't still present for me. Any change for anyone else here?
-
lachryphagous
commented
Phone number verification is just a security breach waiting to happen. I have 2FA on my computer which feels much safer, but as soon as I test burner numbers I have the option to get the authentication token from SMS.
Get your phone stolen and also your Twitch account in the process.
And that's just pretending this is a "security" thing like the settings pretend to be and not another profiling layer to create a more complete data sheet on the user.
I wouldn't even be that upset if they pushed creator sided phone verification for some privileges because I'm sure I'd still be able to interact *somewhere* but this is so silly right now.
You can create a dozen of dummy accounts with temporary e-mails which makes my old, authenticated, 2FA enabled account feel less valuable than phishing bots.
-
CraigB63
commented
So far it's been what? Six weeks. Does anyone know of any official word on this, or any avenue to get some traction toward resolving this? I may have to get a life out in the real world.
Also, Support is totally ghosting me, is that happening to you/others as well? -
SpawnOfThespis
commented
REQUIRING A MOBILE PHONE FOR 2FA IS DISCRIMINATORY AND SHOULD BE ILLEGAL.
I am being penalized for my private choice of phone service and/or for being poor; both of which are illegal.
I am eligible for Affiliate but can't continue because of my phone. I use Republic Wireless because I am extremely poor and it is one of the best deals out there to have a mobile number. It is my only number. I've had it for over 7 years so it is legitimate. I literally don't have a choice for phone number. Republic is a legitimate company so this is literally the same as if someone was being denied for having Verizon, AT&T, T-Mobile, or any other carrier.
MY CHOICE OF PHONE CARRIER SHOULD NEVER BE A FACTOR.
I have email verification enabled for security. I use it to log in with a new verification number every day which is more than most security protocols. -
dirtyjester1
commented
Another affected user checking in here. I'm holding out hope this was a mistake and gets reversed. If it is intentional and permanent then I'm leaving the platform.
-
PrettzL
commented
Oh boy if this is intentionally being rolled out to small batches of people and doesn't get reverted they will lose everyone.
There's no reason to have this as anything but an optional feature.
-
CraigB63
commented
update. I'm reading 'bug' in the comments. Twitch support tells me it's an 'experiment'.
I will mention that enforcing phone verification is one of the main changes HAPPS rolled out just before that platform's sudden demise. Twitch is too big and too well respected to just die like that but HAPPS' failure to listen to its customers on this subject is at minimum a high-profile example that should be acknowledged internally.
Noted that support no longer respond to requests like "how long is this 'experiment' going to continue.
-
ogaboogawakanda
commented
Turn off verified accounts only chat. Here’s two accounts with proof where streamers have it set off but twitch forces it on them anyways.
1) https://twitch.tv/viola_vivace
Streamer and mod both confirm that verified accounts only chat is turned off but this message appears regardless and won’t let me chat. “A verified phone number is required to chat in this channel. Please verify your phone number in Security & Privacy in Settings.”https://clips.twitch.tv/TenderRefinedPorcupinePeoplesChamp-RyFXXkfg_0UZlxdh
https://files.catbox.moe/yh8zzo.png
2) https://twitch.tv/moriraine
Streamer confirms it’s turned off live on stream: https://clips.twitch.tv/CallousObliqueRamenHeyGuys-44Sj4TZaUOMp5pFdBut twitch decides to force it anyways screenshot proof:
https://files.catbox.moe/akalkn.png -
ogaboogawakanda
commented
Streamer and mod both confirm that verified accounts only chat is turned off but the A verified phone number is required to chat in this channel. Please verify your phone number in Security & Privacy in Settings message appears anyways and won’t let me chat.
https://clips.twitch.tv/TenderRefinedPorcupinePeoplesChamp-RyFXXkfg_0UZlxdh
-
illixion_
commented
Ironically, keeping 2FA disabled on Twitch is more secure, as you are forced to use EMail login codes instead, and my email provider doesn’t force SMS 2FA. I set up TOTP with no SMS 2FA on all of the services that I use due to SIM swapping, and Twitch is the only website besides my bank that enforces SMS 2FA. Take note of how sites like Twitter handled this issue and consider removing this dangerous restriction.
-
ogaboogawakanda
commented
Streamer confirms it’s turned off live on stream: https://clips.twitch.tv/CallousObliqueRamenHeyGuys-44Sj4TZaUOMp5pFd
But twitch decides to force it anyways screenshot proof:
https://files.catbox.moe/akalkn.png -
PrettzL
commented
This.
It's obviously a bug caused by something done in the back end as it has not occurred for everyone but only to some accounts.
There are several new throwaway accounts I've made that do not have this issue at all, and if it were applied to everyone it would definitely show that it was intentionally done.
-
PDogJunior
commented
My account is 8 years old and I have lost the ability to chat in pretty much every single stream across Twitch. You should leave it up to the individual streamer whether or not to enable phone verification. This isn't right as many of us are now effectively banned site-wide.
-
SneakySpike
commented
Don't lock my account behind VERIFIED ACCOUNT ONLY CHAT. You try to scam people to get their phone numbers.
-
puddingpuppy
commented
This is extremely user hostile and an invasion of privacy for Twitch to suddenly do this to a bunch of people's accounts. If I can't chat anymore I will cancel my subs and might as well just watch Youtube.
-
argobargsoup
commented
This also badly effects users who may not actually have a mobile phone number.
-
CraigB63
commented
The twitch experiment setting my entire account to require a phone number to be verified is flawed. Phones are not secure. I lost my Microsoft account because auth was sent to a phone so I don't trust it now. Some streamers set it, most don't. Don't force false security on us .
