Stop requiring a phone number to set up 2FA.
First of all, good job on implementing non-Authy, non-SMS 2FA!
That being said, there's still a major hole in your 2FA implementation, and that's requiring a user to set up SMS authentication before they can set up other forms of 2FA. Unless I've missed something huge, whenever I try to set up 2FA on Twitch, I get directed to put in my phone number first. There's no prompt I can use to skip this step.
This is completely counter to how a lot of other sites do 2FA, where SMS authentication is an option, not a requirement. You can completely ignore SMS authentication and just use a standard TOTP code to set up Google Authenticator, etc. I would like to see Twitch adopt this practice as well: instead of requiring us to put in our phone number first, please just give us a list of 2FA options and let us pick a method without requiring the others. Or at least give us the option to set up SMS, set up an alternate 2FA method, and then remove SMS afterwards.
Not requiring SMS is important for several reasons:
It's one of the most insecure forms of 2FA. Relatively speaking, it's significantly easier to intercept a SMS or gain control of someone's number than it is to crack a TOTP token. (See this article for examples: https://arstechnica.com/information-technology/2018/08/password-breach-teaches-reddit-that-yes-phone-based-2fa-is-that-bad/) Requiring SMS means that everyone's account now has that "weakest link," even if they use a TOTP app.
Not everyone is comfortable giving their phone number to Twitch. Phone numbers are used for all sorts of things these days, including sensitive accounts. Some people just might maintain a strict online/offline life separation, and are wary of their phone number being leaked. Even if Twitch never intentionally reveals SMS authentication numbers to the public, hacks can and do happen.
Not everyone has a phone, or has a phone capable of receiving text messages, or a permanent phone number, or a phone that's recognized by Twitch as legitimate... Some people are still on landline for financial reasons. Some people are using small, alternative carriers like Republic Wireless or Google Fi, which get flagged as VoIPs. (Which Twitch does not allow for SMS authentication, despite those numbers being able to receive text messages.) The possibilities go on and on.
I'm sure there are many other reasons why requiring SMS authentication is a bad idea. I'm not asking for it to be removed entirely, but we should at least have the option of NOT using it.
Thanks for reading, and do correct me if this option already exists and I somehow missed it.
-
ogaboogawakanda commented
Streamer and mod both confirm that verified accounts only chat is turned off but the A verified phone number is required to chat in this channel. Please verify your phone number in Security & Privacy in Settings message appears anyways and won’t let me chat.
https://clips.twitch.tv/TenderRefinedPorcupinePeoplesChamp-RyFXXkfg_0UZlxdh
-
illixion_ commented
Ironically, keeping 2FA disabled on Twitch is more secure, as you are forced to use EMail login codes instead, and my email provider doesn’t force SMS 2FA. I set up TOTP with no SMS 2FA on all of the services that I use due to SIM swapping, and Twitch is the only website besides my bank that enforces SMS 2FA. Take note of how sites like Twitter handled this issue and consider removing this dangerous restriction.
-
ogaboogawakanda commented
Streamer confirms it’s turned off live on stream: https://clips.twitch.tv/CallousObliqueRamenHeyGuys-44Sj4TZaUOMp5pFd
But twitch decides to force it anyways screenshot proof:
https://files.catbox.moe/akalkn.png -
PrettzL commented
This.
It's obviously a bug caused by something done in the back end as it has not occurred for everyone but only to some accounts.
There are several new throwaway accounts I've made that do not have this issue at all, and if it were applied to everyone it would definitely show that it was intentionally done.
-
PDogJunior commented
My account is 8 years old and I have lost the ability to chat in pretty much every single stream across Twitch. You should leave it up to the individual streamer whether or not to enable phone verification. This isn't right as many of us are now effectively banned site-wide.
-
SneakySpike commented
Don't lock my account behind VERIFIED ACCOUNT ONLY CHAT. You try to scam people to get their phone numbers.
-
puddingpuppy commented
This is extremely user hostile and an invasion of privacy for Twitch to suddenly do this to a bunch of people's accounts. If I can't chat anymore I will cancel my subs and might as well just watch Youtube.
-
argobargsoup commented
This also badly effects users who may not actually have a mobile phone number.
-
CraigB63 commented
The twitch experiment setting my entire account to require a phone number to be verified is flawed. Phones are not secure. I lost my Microsoft account because auth was sent to a phone so I don't trust it now. Some streamers set it, most don't. Don't force false security on us .
-
KiffJRocka commented
I also never give out my phone number and never needed to, they just ask it on certain channels where the streamer puts in the option to verify a phone number before using their chat, I don't care about chatting because viewers are just a number and streamers don't look at the names of the people saying things. Besides Twitch I never use any website asking for phone number, they just want to sell your number to 100s of companies, the internet and companies like Twitch Amazon are disgusting and destroying privacy, our grandkids will never learn about the word privacy as it won't exist in any form anymore, in meanwhile all governments have leaders aged 70 that have no clue about technology so laws are coming in very late.
-
budgetteen commented
This is not a good idea as the OP mentioned. You should provide 2fa with TOTP without a phone number? what is the reason you have to ask for my phone number?
-
Miszka commented
Agreed. I don't even get the reasons for requiring a phone number to set up a 2FA method that does not even depend on it (TOTP).
-
windsunh2o commented
Yup, thanks to all my fellow Republic Wireless users here who helped me confirm why I cannot verify my Twitch account. Guess I'm currently SOL.
-
SuperSmoofer commented
I absolutely agree! My phone has been deactivated and I can't afford to reactivate it, even temporarily. This means even though I can apply for twitch affiliate, I can't go past the 2FA at all because of the phone number requirement.
-
chucklefuffle commented
Why am I given the option to create an account without using a phone number only to find later a phone number is mandatory in order to do most things on this technological abomination of a website. It makes me really not want to give you that information simply because you're willing to be deceptive to get it. Frankly, I don't believe you people couldn't get that information within a half of a day anyway, so why make me jump through all of these unnecessary hoops?
-
paradeoflaughter commented
Another Republic Wireless user over here who now can't chat in some streams because Twitch won't let me verify my account. More and more of the streamers I follow are implementing this and it's really frustrating when I can't interact. Please give us an alternative method.
-
wilde_oscar commented
Everyone here is absolutely correct and we're getting shafted for having Republic Wireless
-
Crymscar commented
Rather than requiring text messaging on a cell phone to verify accounts (which are already verified by email), have an option for land lines as well. I currently am locked out of being able to chat in some streamers chats because I can't verify with a cell phone because I can't afford a cell phone and I have a land line. Many people don't have cell phones because they can't afford them and to lock us out of chat simply because we can't afford to spend hundreds of dollars on a cell phone just isn't fair. Banks have a method to call whatever phone number you supply and give you a code to put in on the web site as an option for when texting isn't possible. Why can't Twitch do that? As it is, requiring verification of an account in good standing by 2 different methods is overkill anyway.
-
rubbertoebooks commented
I can't stream on pc now thanks to Twitch's recent hack scandal that made OBS disconnect from Twitch automatically, so ran into an issue where I couldn't reconnect OBS to Twitch because when I try to login I'm prompted for the 2fa token which I cannot receive because my phone is currently disconnected and can't use the authy app because I also need a 2fa code sent through sms to activate that :)
-
BryBreadmin commented
This^
I have an alternate carrier that Twitch doesn't consider legitimate. This is a huge roadblock for me to use the twitch API.