Stop requiring a phone number to set up 2FA.
First of all, good job on implementing non-Authy, non-SMS 2FA!
That being said, there's still a major hole in your 2FA implementation, and that's requiring a user to set up SMS authentication before they can set up other forms of 2FA. Unless I've missed something huge, whenever I try to set up 2FA on Twitch, I get directed to put in my phone number first. There's no prompt I can use to skip this step.
This is completely counter to how a lot of other sites do 2FA, where SMS authentication is an option, not a requirement. You can completely ignore SMS authentication and just use a standard TOTP code to set up Google Authenticator, etc. I would like to see Twitch adopt this practice as well: instead of requiring us to put in our phone number first, please just give us a list of 2FA options and let us pick a method without requiring the others. Or at least give us the option to set up SMS, set up an alternate 2FA method, and then remove SMS afterwards.
Not requiring SMS is important for several reasons:
It's one of the most insecure forms of 2FA. Relatively speaking, it's significantly easier to intercept a SMS or gain control of someone's number than it is to crack a TOTP token. (See this article for examples: https://arstechnica.com/information-technology/2018/08/password-breach-teaches-reddit-that-yes-phone-based-2fa-is-that-bad/) Requiring SMS means that everyone's account now has that "weakest link," even if they use a TOTP app.
Not everyone is comfortable giving their phone number to Twitch. Phone numbers are used for all sorts of things these days, including sensitive accounts. Some people just might maintain a strict online/offline life separation, and are wary of their phone number being leaked. Even if Twitch never intentionally reveals SMS authentication numbers to the public, hacks can and do happen.
Not everyone has a phone, or has a phone capable of receiving text messages, or a permanent phone number, or a phone that's recognized by Twitch as legitimate... Some people are still on landline for financial reasons. Some people are using small, alternative carriers like Republic Wireless or Google Fi, which get flagged as VoIPs. (Which Twitch does not allow for SMS authentication, despite those numbers being able to receive text messages.) The possibilities go on and on.
I'm sure there are many other reasons why requiring SMS authentication is a bad idea. I'm not asking for it to be removed entirely, but we should at least have the option of NOT using it.
Thanks for reading, and do correct me if this option already exists and I somehow missed it.
-
nidoking138 commented
Spoofing is much too easy for SMS setup for 2FA. This puts tons of end users at risk.
-
FlightyFerret commented
not everyone has access to a personal mobile phone number, but 2 factor identification is important for everyone.
-
Jarwerewolf commented
we need this
-
Mackapoot commented
There is absolutely no reason to lock 2fa behind having an sms. That seems like a small change that can improve the security for many of your users.
-
WildeRatel commented
Not a gud idea
-
Toastee0 commented
SMS is a terribly insecure way to do 2FA. Can we please have better 2fa options?
-
dgw_ commented
@DaftMav You don't want to give up your phone number, but you'll give up a *fingerprint* instead? 🤔
Many Discord servers are restricted to phone-verified users, too. These large platforms don't seem to realize that *not everyone has a personal phone number*. Having phone service is expensive, especially since phone-verification systems do their absolute best to screen out anyone using a free or cheap VoIP alternative (like Google Voice).
In Twitch's case, using SMS for 2FA also makes SIM swapping attacks viable as part of taking over popular streamers' accounts… in addition to the issues with (optionally) requiring phone verification just to participate in chats.
-
DaftMav commented
I'm one of those who will not give my phone number to Twitch. Now some streamers have their chat restricted to verified-by-phone-only (probably to reduce bots and weirdos spamming) but that means I can't ever participate in their chat unless I give up my phone number.
I think that system is very restrictive and is also tied to this 2FA issue as well. Please at least for 2FA find a different way than demanding a phone number, and then maybe also implement this as a better way to "verify" without a phone number. Perhaps a one-time fingerprint verification through the twitch app could work as one of several options. -
Astro_Alphard commented
Phone based 2FA doesn't work for all users. For example I need to have multiple emergency numbers on speed dial. Due to the nature of work on a safety team the 1 second that a phone will take for password authentication could be the difference between life and death for me or my team. It was the difference between life and death for another team. As such my phone isn't password protected and routinely gets hacked, I don't keep any sensitive information on it and routinely factory reset it so I'm not too concerned. Any sensitive info I have is ALWAYS on my home computer in a secure drive under multiple layers of encryption, or just stored in my mind. Using phone based 2FA is just begging to have my account hacked.
-
RandomRed38 commented
I'm watching PirateSoftware stream, and he says this method is ****, and I trust him more than he trusts your 2FA
-
its_numpty commented
I work in banking fraud prevention and I cannot state enough how insecure SMS 2FA is. So glad this is being proposed and I truly hope changes come through. Twitch is a way of life for many creators and the potential risk associated with SMS 2FA is troubling.
-
PirateSoftware commented
As a security professional with 20 years of experience it's disturbing to see that SMS 2FA is being required in this setting. As streamers we are very high value targets and more vulnerable to sim swapping. Our major donators are in a similar situation and this doesn't help them either. It's time to do away with SMS 2FA as a requirement for other forms of 2FA.
-
andOlga commented
Not only is the SMS "backup" option *still* impossible to turn off, which makes any app you add worthless -- an attacker can just choose to use the SMS option... but now they have also linked the password reset flow to the phone number as well! Here is a very simple attack scenario that requires NOTHING other than having access to my phone number:
- An attacker somehow intercepts texts sent to my phone number. There's tons of ways to do it, "sim jacking" being by far the simplest. I won't go into an overly long explanation here, your security staff should know what that is.
- They plug this phone number into the password reset flow and choose "I don't know my username".
- They get the username, and now go back into the password reset flow and choose to reset the password using the phone number. By the way: the password reset flow completely bypasses 2FA! It doesn't ask for the code.
- The attacker navigates to the login flow and chooses to use the SMS option instead of the app.
- Now they can log into my account using the password that they've just reset and the 2FA code that is sent to the VERY SAME phone number that was used to reset the password in the first place.By forcing the SMS options to be on for both password reset and 2FA (if it is enabled) you have created an incredibly vulnerable service, and anyone who does enable 2FA or verify the phone number is effectively on a ticking time bomb until their account gets hijacked -- once they grow large enough.
Now, you *do* have a proper 2FA option: the e-mail one, which is on by default. Assuming my e-mail account is properly secured (which it is!), there are zero issues with the e-mail 2FA flow itself. However, there are two issues that surround it:
1. The e-mail 2FA is not only presented as "less secure" than the phone-based flow, it's actually not even mentioned as an option (even though, again, it's just on by default).
2. Certain Twitch features (e.g. chatting in specific channels, Stream Together or access to the dev portal) are locked behind phone verification, which forcibly exposes the password-reset vulnerability I have described above.You must give users an option to disable phone-based password reset and 2FA flows if you really wish for accounts to be secure. Asking for a phone number for additional verification is in itself not the main issue here -- the issue is forcibly making the account more vulnerable when it is added.
-
noobtf2 commented
I wanted to enable 2FA on my account but it asked for a phone number. Sorry, no.
-
SmoothTaggster commented
We cant let people like myself not be able to protect ourselves with 2fa bc a bunch of people cant afford cellular myself included as previously stated also you could supplement phone verified chat mode for two factor authentication enabled mode which allows both users and people who cant afford cellular to use all chats and still help against raids and chat issues
-
darknase commented
Giving out a phone number to get 2FA (or in general) is a no-no.
Aside from that SMS-TAN is considered broken since at least 2016 by NIST [1], going back till 2005 [2]
to [1]:
"Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service."
It's a GDPR privacy concern, you DO NOT NEED to know a phone number to authenticate a person.
You already have a way to communicate, send a one time code via eMail. But even that is isn't a required, because setting up the 2FA is easily done via a scanable QR code that's issued for the user once - i.e. changes on repeat - when the user enables the 2FA on a dedicated - i.e. not constant part of the user profile - page.
You don't like the eMail OTP solution because interception or plain text, well then set up a public PGP key dedicated to the 2FA setup, freely available on your site and on a PGP key server. Still can do a challenge-answer implementation before accepting users public key into your system.
[1] https://pages.nist.gov/800-63-3/sp800-63b.html
[2] https://www.schneier.com/crypto-gram/archives/2005/0515.html#16
"Comments from Readers" - "Subject: Two-Channel Authentication with Cell Phones and SMS" -
Impennis commented
Come on Twitch. Stop collecting unnecessary user data!
Everyone before me who stated requiring SMS validation for setting up 2FA TOTP is horse dung is 110% right.
Especially since you keep nagging users to secure their accounts, which I'm absolutely willing to do, you should make it as painless as possible. That means not bothering users for their private phone number. For my part you will not get it. TOTP, WebAuthn or nothing.
It's unbelievable that a company as big as Twitch, right in the middle of big tech fails to understand basic privacy and security concerns of their users.
-
Yang05051 commented
Strongly agree with you! SMS is only an option, not a requirement.
-
YoshiRulz commented
Almost 2 years and no change. WebAuthn is the way, and a company as big as Amazon should be offering it everywhere.
-
kevinsky86 commented
Requiring a phone number to set up a TOTP app makes no sense. Stop this.
SMS verification has been frowned upon for many years now in security circles and should be completely disabled.
TOTP two factor verification is something you should just be able to enable without giving Twitch any additional information.