Category Archives: security

security (category auto created by Wordpresser)

Ridiculous Twitch, or how I went 2FA with Auhty

Today, my Twitch login process was one of the most ridiculous web interactions ever! As usual, Twitch sees every new browser session (cookies cleaned, no memory of the previous visited sites) as a “new device” and forces the user to provide a 6-digit code, to complement the user-password challenge. Unfortunately, those 6-digits came via email, and sloooowly, with a latency of minutes between the code request and the arrival of the corresponding email message. Maybe due to this latency, every time I entered the correct code, Twitch reacted as if I was writing the wrong number. Very frustrating.

At some stage, I finally succeeded and took the opportunity to change my Twitch security settings:
https://www.twitch.tv/settings/security

I decided to enable two-factor authentication (2FA), which means a second authentication challenge, after the user-password. First, I provided a phone-number, which indeed got associated with the account, but future logins will require not a SMS sent to the phone number, but a code generated by the “Authy” app, Twillio’s (twillio.com) equivalent to “Google Authenticator”.

When I first started using 2FA, SMS seemed the best option: I controlled the number, it required no extra app, so it was simpler, and that was – and is – something of great importance!
Unfortunately, as many are bound to find, sooner rather than later, SMS is now considerably insecure and more prone to failure than using time-sensitive security apps. The top reason SMS has failed me in the past, was phone-network operator restrictions, temporary phone-network traffic issues, and/or other reasons strictly under the phone-network operator control: there were situations when I needed a SMS in 30 seconds, and it would never arrive that promptly. That was the day when I quit SMS for app-based 2FA. The data comes from an operator agnostic network – the Internet.

Nowadays, SMS should be a second choice, relatively to Authy and equivalents, not only because of not depending on one specific phone-operator network, but also because the system is more vulnerable, with increasingly more documented SIM-card hijacking events.



twitch_02_code_correct_but_not_accepted_02_768.jpg
https://arturmarques.com/wp/wp-content/uploads/2020/07/twitch_02_code_correct_but_not_accepted_02_768.jpg (image/jpeg)

twitch_02_code_correct_but_not_accepted_02_768.jpg


twitch_03_code_correct_and_accepted_768.jpg
https://arturmarques.com/wp/wp-content/uploads/2020/07/twitch_03_code_correct_and_accepted_768.jpg (image/jpeg)

twitch_03_code_correct_and_accepted_768.jpg


twitch_04_2fa_about_to_be_enabled_768.jpg
https://arturmarques.com/wp/wp-content/uploads/2020/07/twitch_04_2fa_about_to_be_enabled_768.jpg (image/jpeg)

twitch_04_2fa_about_to_be_enabled_768.jpg


twitch_05_2fa_on_768.jpg
https://arturmarques.com/wp/wp-content/uploads/2020/07/twitch_05_2fa_on_768.jpg (image/jpeg)

twitch_05_2fa_on_768.jpg

Technical Details