Settings and activity

2 results found

1. Stop requiring a phone number to set up 2FA.

   1,139 votes

   Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   110 comments  ·  Account Management » Security and Privacy Settings  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close
   An error occurred while saving the comment
   alanblip commented  ·  January 10, 2024  ·  Edit…  ·  Delete…

   The Twitch FAQ for 2FA states: "When you set up Two-Factor Authentication on your account, an Authy account is automatically created for you even if you choose to actively use an alternative authentication app."

   Talk about insecure! Twilio, the owner of Authy, suffered a breach recently that exposed some user's Authy data. Twitch is forcing its 2FA users to have an unnecessary account at a 3rd party site that's known to have suffered data breaches. I closed my Authy account recently, and now Twitch wants to reopen it for me. Ridiculous!

   Requiring an Authy account "behind the scenes" is entirely unnecessary and reduces account security. It increases attack surface by putting my data on a website I have no control over and didn't agree to. Every other website I use where I've setup TOTP 2FA does so without requiring my phone number to create an Authy account for me. There is no sane reason for Twitch to do it this way.

   Save Submitting...
   alanblip supported this idea  ·  January 10, 2024

2. Open standard 2FA with QR codes

   337 votes

   Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   21 comments  ·  Account Management » Security and Privacy Settings  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close
   alanblip supported this idea  ·  January 10, 2024
   An error occurred while saving the comment
   alanblip commented  ·  January 10, 2024  ·  Edit…  ·  Delete…

   I recently deleted my Authy account due to the recent security breach at Twilio (owner of Authy) that compromised some Authy accounts, their recent removal of backup features I relied on, and their lack of transparency in not providing any way to export tokens.

   Now I'm trying to activate 2FA on Twitch, and I get an error verifying my phone number. Apparently it's because Twitch is attempting to create an Authy account with my phone number, but that account is in "Delete pending" state so it cannot be used.

   So I can't do 2FA on Twitch while my Authy account is being deleted. Then, Twitch will apparently recreate my Authy account WHICH I DO NOT WANT BECAUSE AUTHY LETS HACKERS TAKE OVER USER ACCOUNTS. (ok, that's a little bit of hyperbole, but Authy is untrustworthy to me).

   Please get rid of this ridiculous creation of an Authy account. I just setup TOTP 2FA on over a dozen accounts and none of them tried to create an Authy account for me. What is it about Twitch's technology that the others can do it right but Twitch can't?

   Save Submitting...