2-Step Authorization at Login Feature

Wouldn't chess.com know about what would happen if this website got hacked successfully?

We really need Erik to think about this again.

I just received an email from chess.com stating that a suspicious login has been detected. I wanted to enable 2FA and found this thread.

I understand you are concerned about the extra support this feature would cost you? That probably can't be avoided, but it can be mitigated.

If you implement TOTP, there are a variety of applications for all types of platforms. We wouldn't be limited to our phones and could set it up on multiple devices.

Secondly, you can generate backup codes to serve as a fallback in case a user loses their device - I suppose that would also reduce the need for support.

Thanks for reading.

There is no reason Lichess can have this and Chess.com can’t. Lichess operates for free - Chess.com’s earnings are millions more. This needs rethought.

Also, how come Lichess has analysis for crazyhouse, kin of thehill, etc

There are dozens of TOTP solutions that are literally free. For a site with over $100M in annual revenue, the lack of any form of MFA is inexcusable. You should be supporting TOTP, security keys, and passkeys. Maybe even SMS for paid users.

It is ridiculous that the most popular site for chess players doesn't have any form of 2FA, either by phone, email or TOTP. I recently started my account on trial for platinum but I will consider cancelling it and moving to lichess.org.

How about we use something like Character.AI's approach - get rid of the password, and when you type your email/username, then it sends an email to your email for you to log in

We are currently working on suspicious login detection and emailed/phone codes!

something weird happened to my account, and want to have 2 factor auth. Is this really not yet a feature here? in 2024?

In 2025, this should be a standard feature to any account.

Hi, with all due respect, there are a few reasons why this could be a good idea.

For starters, phone numbers and billing information are, in fact, personal information. A phone number can be used to find a home address and name, which would be bad. Billing information would give you access to someone's bank account, which would also be problematic.

Using a phone as a security key isn't the only option. You could also be texted or emailed a code that would be entered to log in after entering your password, and authenticator apps are also an option. I also believe external hardware keys, such as those created by Yubico, would be supported.

Finally, there is one way to ensure people can't lose access to their account, specifically, providing backup codes. Even if someone loses all other 2FA options, backup codes could still be used to log in if someone loses all other methods. @jdcannon said that it's required for staff, which means that it is supported, just not available for all accounts.

Yes, it's required for staff and moderator accounts, which is easier to support than it would be for potentially millions of accounts that might set up the feature if it was available.

As to banking details and phone numbers (or email addresses for that matter), that's not visible from an account. Potentially gifting could happen, if an account was compromised.

Phone numbers and banking details being hidden is nice, ty

As for millions of accounts using it, I don't think it would be that chaotic, Discord and Roblox pulled it off just fine. Worst case scenario, the servers crash once or twice, and it's removed, or, please don't hate me for this, it's a premium only feature, which would suck, but arguably it's more important for premium accounts as they, well, have physical money on their account.

Suspicious login detection could also be configured to something similar to Discord where a suspicious login requires you to verify via email.

This is such a lazy take. Security should be a priority in this day and age. This feature is not hard to implement. Choosing not to implement is just lazy. No other excuse is valid.

Please implement this. It's easier and more secure. There's no legit reason not to do it.

No legitimate MFA solution becomes more complicated with more users. There is a fixed cost to the initial implementation (which apparently has already been done) followed by virtually zero scaling. I can only conclude at least one of the following to be true:

1. The MFA solution only supports SMS codes, and the finance people aren't willing to pay the one cent per SMS usage cost.
2. The MFA solution isn't a legitimate one but is rather a bespoke system that requires some kind of manual admin setup and whose complexity scales linearly with the number of users.
3. Someone doesn't understand what they're talking about.

Support need scale with the number of members using such a feature. If there are incremental costs with the MFA provider then costs also scale with the more members using the feature.

That said, there is a system being worked but don't know the full status for release at this point.