Tell HN: Twitter does not require 2FA to disable 2FA

4 points by mikekoscinski 5 years ago | 3 comments

Basically what the title says. Navigate to account/settings/security/2FA. You can disable 2FA without needing to authenticate (via 2FA) first.

I've never experienced this with any service that supports 2FA. All other 2FA services that I've ever used will not allow users to disable 2FA without first proving identity via 2FA.

(I recognize that 2FA is fallible. I am not arguing that it is perfect. But, if you're going enable 2FA auth, you should try to do it correctly.)

mikekoscinski 5 years ago |

Edit: This is shockingly the case with Google as well. Every other major service provider seems to require re-authentication prior to disabling 2FA.

Dahoon 5 years ago |

So you log in with 2fa and then remove 2fa? Can't test as I don't use SoMe outside HN.

mikekoscinski 5 years ago | |

Correct. Perhaps I'm being pedantic but my past experience has been to log in via 2FA, update settings to disable 2FA, then authenticate via 2FA one final time before it is finally turned off. This has held true across many services.