2FA is great. Until it goes wrong.

I have Two Factor Authentication on anything that will let me use it. But a recent issue has brought home to me that, as much as it helps protect me online, it can also cause problems that, quite simply, are impossible to resolve.

Let me explain.

For 2FA, I used to use Authy but, after locking myself out after changing phones, I switched to using a different app. Rather than keep an unused Authy account around, I asked them to delete it. I don’t use it, so no harm, right?

So, one of the sites I use 2FA on is Twitch. I’m not massively into streamer but I do occasionally indulge and have my own channel as a result. I’ve had a break from gaming for a few months so haven’t been using it but, last week, decided to go in and prepare for using it again.

I’d been signed out (no surprise) but, upon requesting my 2FA number, it wouldn’t accept whatever I supplied it with. My app was generating the code but Twitch wouldn’t accept it (it was fine when I set it up last year). Rather than use saved backup codes, Twitch sends an SMS to your phone. Except it didn’t turn up, no matter how many times I tried. I tried other SMS services and they worked just fine. Whatever I tried to do, I was unable to access my Twitch profile.

I contacted Twitch who informed me that Authy run their 2FA service, and gave me a special code, unique to me, to provide their customer support for assistance.

But Authy won’t help. They can’t explain why my codes won’t work and SMS’ don’t turn up but say their recovery method is via my Authy account. It seems that, even if you don’t Authy for your 2FA, when you set-up 2FA on Twitch, they create one behind the scenes, connecting to any that you may already have. In my case, I’d had this account deleted, and that was my only method of recovery.

Twitch tell me to go Authy. Authy are telling me they can’t help and that I should speak to Twitch.

To test a theory, I created a new Twitch account… it wouldn’t let me use my usual email, as it was already in use for another account but did let me use my phone number. Which is odd. Now, I haven’t changed my phone number for… a long, long time. There is no way I set up that 2FA on my phone with any other number, so how could it be wrong (which is my assumption as to why Twitch is letting me use it and why SMS’ aren’t turning up). Of course, Twitch won’t tell me if the number is wrong for “security reasons”.

So, there we have it. I’ve totally lost access to the account and nobody is prepared to help me any further. It’s a good job I don’t do streaming seriously otherwise, this could be a massive blow. Please use 2FA but, equally, be careful.


Talk to me!

This site uses Akismet to reduce spam. Learn how your comment data is processed.