Security as serious blocking issues

Hello,

This post is for twitch developpers.

I currently a dev and a member of stream team on an the futurolan association.
We organize several lan. Our biggest event is the Gamers Assembly, (it s also the biggest french event).
link to the last Gamers Assembly : https://ga2019.gamers-assembly.net/

What is our issue :

  • We want to create a application in order to retrieve analytics data, create a auto onlive module for our website and also a bunch of bot for tchat, etc. All this needed start to be necessary for us.

  • We want to use the API but

  • it need we have two factor enabled and WE WILL NEVER ACTIVATE IT for several reason :

  • OUR STAFF CHANGE (during year, between event, during events)

  • OUR IP ADDRESS CHANGE (between event, during events) and we deploy our app on a server with a temporary public ip during our events.

  • SOME PEOPLE ON OUR STAFF DON’T HAVE MOBILE PHONE (yes it always exist)

So all this facts make it s impossible for us to use a phone as security verification stuff.

What is the best solution for us :

  • add a way to verify with email, so we can use the alias for our team to send verification code
  • remove two factor as a requirement for add app. <-- best solution

Maybe i miss somethings on the documentation so feel free to tell me RTFM with appropriate link.

Sry for my poor english feel free to ask if you don’t understand somethings.

You don’t need 2FA to use the Twitch API. I also don’t see why you would ever need all your staff to have mobile phones or do 2FA themselves anyway?

You need 2FA to stream, that’s not going to change as it’s an important security measure. You just need to enable 2FA, and then once you have the stream key, and gone through the OAuth process for your app, you can do almost anything you’ll need to through the API using the OAuth token, and you’ll have the stream key so any of your staff can stream using that stream key, from any location/IP, without needing 2FA themselves.

You don’t need 2FA to use the Twitch API.

Are you sure because when i try to add an app in the console like it says in the documentation i have an error message and it says : You must have two factor enabled to manage applications.

from :
https://dev.twitch.tv/console/apps/create

the fact is every time i see 2FA when you try to connect from somewhere a pin is send to the phone. maybe i m wrong. But it s not only about the api but also to allow connection on the twitch account without the need of a phone. And we will not add one because twitch can change the way it s working at every moment and we can t risk to be lock out during an event. the risk is too high.

You just need 1 person with 2FA to create the app you need, and get your stream key, those can be used by any of your staff even without 2FA.

It’s also worth mentioning that as an event engineer myself, working large esports events, every company I have worked with accepts 2FA as sensible security measure for stream production, and the potential risks of not using 2FA far outweigh any hassle there may to use it, so every proper organisation works with it.

If you’re still not willing for you or any of your staff to enable 2FA it means you are welcome to continue using Twitch as a viewer, but you will not be able to stream on this platform or create apps with an insecure account.

2FA as security product, nice job.

this topic can be close.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.