Stop requiring a phone number to set up 2FA.
First of all, good job on implementing non-Authy, non-SMS 2FA!
That being said, there's still a major hole in your 2FA implementation, and that's requiring a user to set up SMS authentication before they can set up other forms of 2FA. Unless I've missed something huge, whenever I try to set up 2FA on Twitch, I get directed to put in my phone number first. There's no prompt I can use to skip this step.
This is completely counter to how a lot of other sites do 2FA, where SMS authentication is an option, not a requirement. You can completely ignore SMS authentication and just use a standard TOTP code to set up Google Authenticator, etc. I would like to see Twitch adopt this practice as well: instead of requiring us to put in our phone number first, please just give us a list of 2FA options and let us pick a method without requiring the others. Or at least give us the option to set up SMS, set up an alternate 2FA method, and then remove SMS afterwards.
Not requiring SMS is important for several reasons:
It's one of the most insecure forms of 2FA. Relatively speaking, it's significantly easier to intercept a SMS or gain control of someone's number than it is to crack a TOTP token. (See this article for examples: https://arstechnica.com/information-technology/2018/08/password-breach-teaches-reddit-that-yes-phone-based-2fa-is-that-bad/) Requiring SMS means that everyone's account now has that "weakest link," even if they use a TOTP app.
Not everyone is comfortable giving their phone number to Twitch. Phone numbers are used for all sorts of things these days, including sensitive accounts. Some people just might maintain a strict online/offline life separation, and are wary of their phone number being leaked. Even if Twitch never intentionally reveals SMS authentication numbers to the public, hacks can and do happen.
Not everyone has a phone, or has a phone capable of receiving text messages, or a permanent phone number, or a phone that's recognized by Twitch as legitimate... Some people are still on landline for financial reasons. Some people are using small, alternative carriers like Republic Wireless or Google Fi, which get flagged as VoIPs. (Which Twitch does not allow for SMS authentication, despite those numbers being able to receive text messages.) The possibilities go on and on.
I'm sure there are many other reasons why requiring SMS authentication is a bad idea. I'm not asking for it to be removed entirely, but we should at least have the option of NOT using it.
Thanks for reading, and do correct me if this option already exists and I somehow missed it.
-
ibleedtechnicolor commented
Twitch should either remove the requirement to set up SMS 2FA as a stepping stone to setting up software based 2FA, or allow users to remove SMS 2FA after setup. An alternative for backup could be backup keys that users can store safely in a password manager like many other major platforms provide. Offering the option to use software 2FA while requiring that SMS 2FA be in place defeats the purpose of using the software, and leaves accounts just as vulnerable as if they only used SMS 2FA.
-
merrickal commented
Saying that SMS 2FA is the only way forward in setting up 2FA, is kind of signalling malicious people to target people’s phones.
Also, I can foresee people changing their mobile number, while travelling.
Or people forgetting to reset the 2FA when they need to change their phone number for whatever reason, because so many services and websites are on their favourite 2FA app on device.Would much rather have google authentication and other authentication methods available so as to give people choice and to avoid giving malicious people an easy time.
Perhaps leaving the option to put my phone number in if I need a backup?
-
WhisperOnWings commented
I have, for a number of personal life reasons, tend to lack the ability to even receive SMS most of the year, its wild to me that because of this I have no option to protect myself or my account because of the SMS requirement. not to mention the number of vulnerabilities SMS 2FA has, I do hope twitch will implement another option that will allow someone without access to a phone number the safety of 2FA.
-
backpfeifenmondgesicht commented
There's no reason to have a phone number be mandatory to enable 2FA. It's incredibly flimsy at best and could easily cause a lot of issues, especially with people having stalkers. Make it an optional 2FA and NOT a mandatory.
-
PrairiePirateYo commented
This policy discriminates against poor streamers, who have to deal with phone disconnections on a regular basis. I've been streaming for over 3 years, but can't stream this week because on OBS update required me to sign into Twitch. Signing into Twitch requires that a code be sent to my disconnected phone. I'm logged into my Twitch account on several browser windows. But if my computers are turned off, I'll even lose that. As a web developer, I appreciate 2FA as a smart security practice, but your policies offer no options.
-
Forrener commented
While this does not personally affect me, I'd like to voice my support in removing the requirement for SMS 2FA to enable Software 2FA. 2FA is a very important security feature. The current implementation is strange and should be revised.
-
Arctor_ commented
SMS 2FA is too easily circumvented to be reliable as a method of authentication. Not only does this deny access to a large range of twitch features but actively blocks other forms of 2FA until SMS 2FA is implemented. This is unsafe and untenable.
Physical security keys are the most secure form of 2FA and should be listed as an option.
Email is more secure and more easily accessible to more people than mobile and should be listed as an option.
The software option currently available is more secure than SMS and shouldn't be restricted to verification. Verification shouldn't be restricted to a mobile number that is easily spoofed or otherwise circumvented.
-
soaky_sack commented
For the record I know very little about 2FA as a whole, but using one of the weakest 2FA's out there, which also essentially segregates content creation to those fortunate and wealthy enough to own a phone, is very silly, both for Twitch and especially, of course, for users and content creators.
-
greenjam94 commented
Twitch is a global platform, some regions having SMS is not always an option, therefore those users would be unable to secure their accounts.
There is other options such as emailed TOTP that do not require having a mobile phone provider.
Security should be accessible to all and not gated by hardware requirements.
-
lazaros98 commented
There's always a risk of your phone number getting leaked and if my phone number isn't in a database, I don't have to worry about it being leaked. Also intercepting data from a service (SMS) that's older than all off Twitch's audience is not that hard.
-
CodeTheVoid commented
SMS 2FA is easily cracked. It also prevents users that don't have access to SMS from having 2FA, which is important for end users.
-
claiminglight commented
That's been a big problem for me. I don't want or need a cell phone, just like some folks don't want or need a car. You're not selling phones; why is your verification setup reliant on products from unaffiliated companies?
-
centaurianmudpig commented
"Relatively speaking, it's significantly easier to intercept a SMS or gain control of someone's number than it is to ***** a TOTP token"
Big streamers are going to be the main targets of this kind of attack and are more susceptible due to being more noticeable in the Twitch community, making them vulnerable and more impactful targets.
-
ZilchGnu commented
Being a victim of a sim swap in the past this is an issue that could be prevented. I feel no matter how much I lock down my account I'll always be at risk because I cannot remove SMS 2fa.
-
drewzeedo5 commented
the idea of requiring SMS first is crazy to me, i personally have no phone service at my house and the idea of requiring SMS BEFORE setting up my authenticator app is incredibly difficult.
-
Jack_the_Dipper commented
SMS has two major problems.
1. Not everyone can use SMS
2. Sms-swapping is out there and that can hijack your account -
TastelessGeorg commented
sms 2fa is incredibly insecure, requiring it as a prerequisite for ACTUALLY GOOD 2fa is terrible. Thus users are less inclined to use good 2fa and more account breaches happen.
-
TalviTheFox commented
I completely agree with your points! Requiring phone numbers for 2FA can be problematic for numerous reasons:
Security: SMS 2FA is weaker than other methods like TOTP apps, exposing users to SIM swapping and interception risks.
Privacy: Not everyone wants their phone number linked to their Twitch account for various reasons.
Accessibility: Phone access isn't universal, leaving some users locked out of stronger 2FA options.
A flexible 2FA setup like you suggest, with various options and no mandatory phone requirement, would significantly improve security and inclusivity. So, yeah, ditch the phone number requirement, Twitch! -
RedCyberDragon29 commented
The post is right. SMS is insecure and should not be required but an option or it defeats the purpose.
-
wanderluststory12 commented
With the amount of large profile streamers and how easy it is to sms attack, a 2FA without requiring a phone number would help limit the amount of stolen accounts on twitch