Stop requiring a phone number to set up 2FA.
First of all, good job on implementing non-Authy, non-SMS 2FA!
That being said, there's still a major hole in your 2FA implementation, and that's requiring a user to set up SMS authentication before they can set up other forms of 2FA. Unless I've missed something huge, whenever I try to set up 2FA on Twitch, I get directed to put in my phone number first. There's no prompt I can use to skip this step.
This is completely counter to how a lot of other sites do 2FA, where SMS authentication is an option, not a requirement. You can completely ignore SMS authentication and just use a standard TOTP code to set up Google Authenticator, etc. I would like to see Twitch adopt this practice as well: instead of requiring us to put in our phone number first, please just give us a list of 2FA options and let us pick a method without requiring the others. Or at least give us the option to set up SMS, set up an alternate 2FA method, and then remove SMS afterwards.
Not requiring SMS is important for several reasons:
It's one of the most insecure forms of 2FA. Relatively speaking, it's significantly easier to intercept a SMS or gain control of someone's number than it is to crack a TOTP token. (See this article for examples: https://arstechnica.com/information-technology/2018/08/password-breach-teaches-reddit-that-yes-phone-based-2fa-is-that-bad/) Requiring SMS means that everyone's account now has that "weakest link," even if they use a TOTP app.
Not everyone is comfortable giving their phone number to Twitch. Phone numbers are used for all sorts of things these days, including sensitive accounts. Some people just might maintain a strict online/offline life separation, and are wary of their phone number being leaked. Even if Twitch never intentionally reveals SMS authentication numbers to the public, hacks can and do happen.
Not everyone has a phone, or has a phone capable of receiving text messages, or a permanent phone number, or a phone that's recognized by Twitch as legitimate... Some people are still on landline for financial reasons. Some people are using small, alternative carriers like Republic Wireless or Google Fi, which get flagged as VoIPs. (Which Twitch does not allow for SMS authentication, despite those numbers being able to receive text messages.) The possibilities go on and on.
I'm sure there are many other reasons why requiring SMS authentication is a bad idea. I'm not asking for it to be removed entirely, but we should at least have the option of NOT using it.
Thanks for reading, and do correct me if this option already exists and I somehow missed it.
-
xxlooped_melodyxx commented
I want to speak in chat with my favorite streamer and i cant because i dont have a phone therefor no phone verification
-
nerdinbr commented
This. 1,000,000x this. Phone number shoud NOT be required. Let us just have that and download our backup codes. Done and done. this is just an information grab and is disgusting.
-
LordMulgar commented
Hello Twitch? Since you won't allow my Republic Wireless number. Same phone number I have had for 20 years. Let us use an authenticator app. Perhaps hire a better security team too. You have so much egg on your face right now.
-
senortres commented
With today's news it's probably a good idea to revisit this, Twitch. Way more people have no access to a non-VOIP SMS-capable number than "would seem".
-
68267a commented
Things like this are a clear indicator of management making decisions they do not understand (or worse they do understand it and are selling our data), and it has been extremely effective at keeping me off the platform entirely.
2FA with zero SMS requirement, or nothing.
-
AccelToWin commented
Wait, Twitch doesn't allow the use of Google Voice for 2 FA? That makes sense now.
-
Stunseed commented
i lost my phone and needed to make a new authy account. idk my old number but i do know my email adress. so i changed the number hooked it up to my email adress thinking everything is fine. when i go to twitch to try to change the place it sends authy number codes for verification it wants to go straight to an sms number to the other phone i dont have.
also when it tells me to connect a new account (twitch) using the authy app
all it does is tell me to scan a qr code or use the code given to me , i didnt recieve either of these things. now im stuck with 2fa enabled and nothing i can do about it. theres gotta be a way to just get an email to undo this mess -
factualspin commented
Vote for the similar suggestion with the most votes: https://twitch.uservoice.com/forums/310228-account-management-e-g-login-connections-pass/suggestions/11498085-google-authentication-for-2-factor-authentication
-
letmeseeyourcakeface commented
This. There are plenty of people who don't have a phone or cannot install Authy for some reason or other. Twitch's own advice is to use Authy when "abroad" rather than SMS. If someone cannot install or use Authy, then they have no way to secure their account with 2FA.
-
Joe commented
the need to use other time based 2FA without the need of a SMS capable phone to use. Many sites now uses 2FA and a single platform to build it around doesn't make sense.
please use a open system