How I got 2FA working on Twitch, why I did it, and the story of just how much of a disaster it was.
May 18, 2024
For quite a while now I’ve wanted to experiment with the Twitch API (more specifically OAuth2 and IRC), but it doesn’t allow users without 2FA enabled to create anything in the developer dashboard.
Meanwhile, I’ve also wanted to do a series of posts about fighting garbage 2FA implementations.
And now’s the time. Let’s have some fun, shall we?
To start, Twitch requires that you have a mobile phone, which is incredibly stupid since not everyone has a mobile phone, and I didn’t even have one until recently, but even then I don’t like using it - I just prefer desktop linux.
Also, keep in mind that NIST has deprecated SMS for 2FA since 2016. It has been known to be a security disaster for almost a decade now. Yet Twitch still uses it. Strike 1.
But wait, there’s more!
On the setup modal, it shows this:
Enter the mobile number for a device you trust. We will text you a 7-digit security code to verify your phone.
Hmm… “a device you trust”? Yeah, suuuure.
They’re acting as if a phone number is guaranteed to correspond to one person until they choose to get rid of that number, despite the fact that SIM swap attacks exist and are increasingly common. Strike 2.
This is where things get even worse. They have a way to enable TOTP, which is much better than SMS for 2FA, but they have a really bad implementation of it.
When setting up SMS-based 2FA, it will ask if you want to set up TOTP, which they refer to as an “Authenticator App” - but it just goes downhill from there.
To start, you’ll need to scan a QR code. What if you don’t have a camera and/or authenticator app which supports QR codes? Umm… yeah… looks like they didn’t quite think that one through.
Luckily, there’s a tool for that - zbarimg! With zbarimg, you can just run a linux command which will output the text of the input image, assuming it contains a valid QR code.
Running it on a Twitch TOTP QR code will give you something like this:
QR-Code:otpauth://totp/Twitch?secret=[SECRET KEY]&issuer=Twitch
Now, I opened up KeePassXC, right clicked on the Twitch entry, and then went to TOTP -> Set up TOTP...
Then I copy-pasted the secret key from the QR code. And after right clicking on the entry again, going to TOTP -> Show TOTP, and then typing that code into the Twitch UI to confirm… it actually worked!
But… uhh… there’s a problem.
See, when you set it up, it says this:
Next time you log in, you’ll need your authenticator app, or a unique code will be sent to your mobile phone.
If you lose access to your authenticator app, you can request a SMS code to log in.
Let me explain this. This means that you can use TOTP or SMS. This does absolutely NOTHING to stop SIM swap attacks. It only makes it possible to log in when you don’t have physical access to your phone. Strike 3.
Does their 2FA implementation improve security by default? NO!
Can their 2FA implementation improve security? NO!
Does their 2FA implementation support FIDO2? NO!