Stop requiring a phone number to set up 2FA.
First of all, good job on implementing non-Authy, non-SMS 2FA!
That being said, there's still a major hole in your 2FA implementation, and that's requiring a user to set up SMS authentication before they can set up other forms of 2FA. Unless I've missed something huge, whenever I try to set up 2FA on Twitch, I get directed to put in my phone number first. There's no prompt I can use to skip this step.
This is completely counter to how a lot of other sites do 2FA, where SMS authentication is an option, not a requirement. You can completely ignore SMS authentication and just use a standard TOTP code to set up Google Authenticator, etc. I would like to see Twitch adopt this practice as well: instead of requiring us to put in our phone number first, please just give us a list of 2FA options and let us pick a method without requiring the others. Or at least give us the option to set up SMS, set up an alternate 2FA method, and then remove SMS afterwards.
Not requiring SMS is important for several reasons:
It's one of the most insecure forms of 2FA. Relatively speaking, it's significantly easier to intercept a SMS or gain control of someone's number than it is to crack a TOTP token. (See this article for examples: https://arstechnica.com/information-technology/2018/08/password-breach-teaches-reddit-that-yes-phone-based-2fa-is-that-bad/) Requiring SMS means that everyone's account now has that "weakest link," even if they use a TOTP app.
Not everyone is comfortable giving their phone number to Twitch. Phone numbers are used for all sorts of things these days, including sensitive accounts. Some people just might maintain a strict online/offline life separation, and are wary of their phone number being leaked. Even if Twitch never intentionally reveals SMS authentication numbers to the public, hacks can and do happen.
Not everyone has a phone, or has a phone capable of receiving text messages, or a permanent phone number, or a phone that's recognized by Twitch as legitimate... Some people are still on landline for financial reasons. Some people are using small, alternative carriers like Republic Wireless or Google Fi, which get flagged as VoIPs. (Which Twitch does not allow for SMS authentication, despite those numbers being able to receive text messages.) The possibilities go on and on.
I'm sure there are many other reasons why requiring SMS authentication is a bad idea. I'm not asking for it to be removed entirely, but we should at least have the option of NOT using it.
Thanks for reading, and do correct me if this option already exists and I somehow missed it.
-
IZeroOneI commented
It is well known that SMS is more insecure than conventional 2FA Algorithms.
This should not be a requirement for High Profile Indivuduals like Streamers.
If Twitch feels like it *has* to aquire phone numbers, at least allow Users to disable SMS 2FA in favour of more secure options. -
Knycrotic commented
this is so insane that you need a phone when SMS is the worst of all 2FA and your team should know this
-
Danukeru commented
@dgw_
Twitch's parent company already handles most of the world's payment information. I think there's no better option than Amazon when it comes to a track record at that scale.
This resolves why they would keep SMS verification in the first place.As for Affiliates and Partners: they already have their full banking information.
Your argument is moot.
-
dgw_ commented
@Danukeru Requiring payment information is a risk level higher than Twitch holding just a phone number. The idea is to *reduce* risk of information leakage and account takeovers, not increase risk of identity theft.
-
Danukeru commented
While I am aware that your application security team is very much in the know with regards to the risks of sim swapping, I have to now consider that SMS verification is kept in the hope that there is an actual human registering with a telecom provider.
However I have seen examples of many VOIP providers that have started providing SMS support while also being impossible to discern from PSTN lines.
Mostly due to VoLTE backends becoming the norm as providers look to reduce costs.While these are generally much less vulnerable to SIM swap due to these providers having their own multifactor and no human in the loop to exploit, not everyone has the technical expertise to set these up, and defeats your current intended purpose.
Perhaps your billing department should look into encouraging a natural purchase path in the 5$ range on the part of a new user similar to Steam accounts. A reduced rate turbo perhaps?
The CC information would do better to limit spam accounts.
-
AlphaSendauri commented
The fact that one of the large corporations in the world REQUIRES users to enable plain text unencrypted sms 2fa is the most frustrating blunders ive ever seen. Are these people literally stupid or just willfully ignorant? How the F U C K is this still an issue 3 years later?
-
alanblip commented
The Twitch FAQ for 2FA states: "When you set up Two-Factor Authentication on your account, an Authy account is automatically created for you even if you choose to actively use an alternative authentication app."
Talk about insecure! Twilio, the owner of Authy, suffered a breach recently that exposed some user's Authy data. Twitch is forcing its 2FA users to have an unnecessary account at a 3rd party site that's known to have suffered data breaches. I closed my Authy account recently, and now Twitch wants to reopen it for me. Ridiculous!
Requiring an Authy account "behind the scenes" is entirely unnecessary and reduces account security. It increases attack surface by putting my data on a website I have no control over and didn't agree to. Every other website I use where I've setup TOTP 2FA does so without requiring my phone number to create an Authy account for me. There is no sane reason for Twitch to do it this way.
-
ArcanicFlame commented
All i want for Christmas
-
Spiritsmaker commented
The insecurity of SMS for 2FA is being widely discussed again and again over the years. Although a regular viewer might not be of high value to be a target of an attack, the streamers on the platform definitely are.
As such, it is a strange choice on Twitch's policy which forces an inferior and insecure form of 2FA on them over other choices by default.
It would help a lot to see it be not be the case anymore and give a free choice to the users.
-
Purplezorz commented
Always put your strongest foot first - but I understand some flexibility is needed. So rather picking one of the other to be mandatory, just allow the user to use either or - and in fact, perhaps a little message mentioning 2FA apps are actually the more preferred.
That way, if people want to use SMS 2FA (even exclusively), they still have the choice to, but the more security conscious (or just those with a different opinion) can choose 2FA apps to be their primary or exclusive option. -
ibleedtechnicolor commented
Twitch should either remove the requirement to set up SMS 2FA as a stepping stone to setting up software based 2FA, or allow users to remove SMS 2FA after setup. An alternative for backup could be backup keys that users can store safely in a password manager like many other major platforms provide. Offering the option to use software 2FA while requiring that SMS 2FA be in place defeats the purpose of using the software, and leaves accounts just as vulnerable as if they only used SMS 2FA.
-
merrickal commented
Saying that SMS 2FA is the only way forward in setting up 2FA, is kind of signalling malicious people to target people’s phones.
Also, I can foresee people changing their mobile number, while travelling.
Or people forgetting to reset the 2FA when they need to change their phone number for whatever reason, because so many services and websites are on their favourite 2FA app on device.Would much rather have google authentication and other authentication methods available so as to give people choice and to avoid giving malicious people an easy time.
Perhaps leaving the option to put my phone number in if I need a backup?
-
WhisperOnWings commented
I have, for a number of personal life reasons, tend to lack the ability to even receive SMS most of the year, its wild to me that because of this I have no option to protect myself or my account because of the SMS requirement. not to mention the number of vulnerabilities SMS 2FA has, I do hope twitch will implement another option that will allow someone without access to a phone number the safety of 2FA.
-
backpfeifenmondgesicht commented
There's no reason to have a phone number be mandatory to enable 2FA. It's incredibly flimsy at best and could easily cause a lot of issues, especially with people having stalkers. Make it an optional 2FA and NOT a mandatory.
-
PrairiePirateYo commented
This policy discriminates against poor streamers, who have to deal with phone disconnections on a regular basis. I've been streaming for over 3 years, but can't stream this week because on OBS update required me to sign into Twitch. Signing into Twitch requires that a code be sent to my disconnected phone. I'm logged into my Twitch account on several browser windows. But if my computers are turned off, I'll even lose that. As a web developer, I appreciate 2FA as a smart security practice, but your policies offer no options.
-
Forrener commented
While this does not personally affect me, I'd like to voice my support in removing the requirement for SMS 2FA to enable Software 2FA. 2FA is a very important security feature. The current implementation is strange and should be revised.
-
Arctor_ commented
SMS 2FA is too easily circumvented to be reliable as a method of authentication. Not only does this deny access to a large range of twitch features but actively blocks other forms of 2FA until SMS 2FA is implemented. This is unsafe and untenable.
Physical security keys are the most secure form of 2FA and should be listed as an option.
Email is more secure and more easily accessible to more people than mobile and should be listed as an option.
The software option currently available is more secure than SMS and shouldn't be restricted to verification. Verification shouldn't be restricted to a mobile number that is easily spoofed or otherwise circumvented.
-
soaky_sack commented
For the record I know very little about 2FA as a whole, but using one of the weakest 2FA's out there, which also essentially segregates content creation to those fortunate and wealthy enough to own a phone, is very silly, both for Twitch and especially, of course, for users and content creators.
-
greenjam94 commented
Twitch is a global platform, some regions having SMS is not always an option, therefore those users would be unable to secure their accounts.
There is other options such as emailed TOTP that do not require having a mobile phone provider.
Security should be accessible to all and not gated by hardware requirements.
-
lazaros98 commented
There's always a risk of your phone number getting leaked and if my phone number isn't in a database, I don't have to worry about it being leaked. Also intercepting data from a service (SMS) that's older than all off Twitch's audience is not that hard.