1 comment

[ 5.8 ms ] story [ 11.9 ms ] thread
Ran into this problem when trying to update my passwords. I figured I might as well try to turn on 2FA while I was at it, but was unable to do so. Confirmed with their FAQ that this is apparently intentional.

For... somewhat obvious reasons, I don't feel safe giving Twitch my phone number.

Security professionals have long advised that SMS should not be treated like a secure protocol. In 2021, that advice still hasn't changed: (https://krebsonsecurity.com/2021/03/can-we-stop-pretending-s...)

Not only does SMS not provide security for 2FA, as Twitch has demonstrated it also opens new security risks for users' personal data. It is arguably bad practice to offer 2FA over SMS at all, but requiring it is actively harmful; it tricks users into putting themselves into vulnerable positions because they think it will make them more secure, and it slows 2FA for security-conscious users, adding a caveat to the general advice that 2FA is secure. This harms messaging efforts around 2FA.

And in Twitch's case, it's just kind of embarrassing right now. Twitch's leak provides an object lesson about why mandatory 2FA over SMS is harmful, and why responsible companies don't use account security as an excuse to extract personal information from their users.

There is no excuse at this point for companies to keep sticking their heads in the sand and pretending that there's anything acceptable about SMS-based authentication.