Chess.com CEO Erik has answered this previously back in 2021:
We are never going to add this for members. Why? Because there is nothing so personal and sensitive that needs that level of protection, and the hassles of new phones, etc - it's just a TON of work.
https://www.chess.com/clubs/forum/view/2-step-authorization-at-login-feature?comment=44799748
/ Why do you think it's so important?
Yes, he said this:
"We are never going to add this for members. Why? Because there is nothing so personal and sensitive that needs that level of protection, and the hassles of new phones, etc - it's just a TON of work."
For the first point: There is absolutely sensitive information on Chess.com! My personal email is on my account, and if someone got access to my account, they would have my email. This is the case for most people! Also, if a website is taking payment information, they should have extra security measures in place. Secondly, since it would be optional, only people who actually know what they are doing would enable it. That means they would also likely know how to solve the problems of new devices. Not only that, but Chess.co could give users set of 'recovery codes' when they enable 2FA. These codes could be used in the case that the 2FA is inaccessible for some reason.
Also, you may notice the fact that the post has TWENTY SIX downvotes! Clearly the Chess.com community disagrees with this comment.
Didn't Discord just have a huge data breach? I'm not sure if Discord should be our example for perfect security!
Yes, he said this:
"We are never going to add this for members. Why? Because there is nothing so personal and sensitive that needs that level of protection, and the hassles of new phones, etc - it's just a TON of work."
For the first point: There is absolutely sensitive information on Chess.com! My personal email is on my account, and if someone got access to my account, they would have my email. This is the case for most people! Also, if a website is taking payment information, they should have extra security measures in place. Secondly, since it would be optional, only people who actually know what they are doing would enable it. That means they would also likely know how to solve the problems of new devices. Not only that, but Chess.co could give users set of 'recovery codes' when they enable 2FA. These codes could be used in the case that the 2FA is inaccessible for some reason.
Your email address is not visible in account settings
Yes, he said this:
"We are never going to add this for members. Why? Because there is nothing so personal and sensitive that needs that level of protection, and the hassles of new phones, etc - it's just a TON of work."
For the first point: There is absolutely sensitive information on Chess.com! My personal email is on my account, and if someone got access to my account, they would have my email. This is the case for most people! Also, if a website is taking payment information, they should have extra security measures in place. Secondly, since it would be optional, only people who actually know what they are doing would enable it. That means they would also likely know how to solve the problems of new devices. Not only that, but Chess.co could give users set of 'recovery codes' when they enable 2FA. These codes could be used in the case that the 2FA is inaccessible for some reason.
Email addresses are open to the public buddy. They are not PII.
Yes, he said this:
"We are never going to add this for members. Why? Because there is nothing so personal and sensitive that needs that level of protection, and the hassles of new phones, etc - it's just a TON of work."
For the first point: There is absolutely sensitive information on Chess.com! My personal email is on my account, and if someone got access to my account, they would have my email. This is the case for most people! Also, if a website is taking payment information, they should have extra security measures in place. Secondly, since it would be optional, only people who actually know what they are doing would enable it. That means they would also likely know how to solve the problems of new devices. Not only that, but Chess.co could give users set of 'recovery codes' when they enable 2FA. These codes could be used in the case that the 2FA is inaccessible for some reason.
Email addresses are open to the public buddy. They are not PII.
You are right. However, what is not public information is what email your chess.com account is associated with.
Yes, he said this:
"We are never going to add this for members. Why? Because there is nothing so personal and sensitive that needs that level of protection, and the hassles of new phones, etc - it's just a TON of work."
For the first point: There is absolutely sensitive information on Chess.com! My personal email is on my account, and if someone got access to my account, they would have my email. This is the case for most people! Also, if a website is taking payment information, they should have extra security measures in place. Secondly, since it would be optional, only people who actually know what they are doing would enable it. That means they would also likely know how to solve the problems of new devices. Not only that, but Chess.co could give users set of 'recovery codes' when they enable 2FA. These codes could be used in the case that the 2FA is inaccessible for some reason.
Your email address is not visible in account settings
you can see it if you go to Settings>Account>Your Data. you can access tons of data about the account. Although the data is password protected, the theoretical attacker has your account password. Data includes the IP address that the account was made from, the IP addresses from the last 90 days, your email, and the email that was used to make the account. There is also browser information.
Yes, he said this:
"We are never going to add this for members. Why? Because there is nothing so personal and sensitive that needs that level of protection, and the hassles of new phones, etc - it's just a TON of work."
For the first point: There is absolutely sensitive information on Chess.com! My personal email is on my account, and if someone got access to my account, they would have my email. This is the case for most people! Also, if a website is taking payment information, they should have extra security measures in place. Secondly, since it would be optional, only people who actually know what they are doing would enable it. That means they would also likely know how to solve the problems of new devices. Not only that, but Chess.co could give users set of 'recovery codes' when they enable 2FA. These codes could be used in the case that the 2FA is inaccessible for some reason.
Email addresses are open to the public buddy. They are not PII.
You are right. However, what is not public information is what email your chess.com account is associated with.
Yes, that is true. However I don't think most members would prefer extra protection over ease of use.
My proposal is that it would be optional
Yes, in that case I can agree with you. However so few people would use it that I'm pretty sure chess.com determined developing such a security measure is not worth the time & effort. Instead they like to change the UI of our profiles and clubs, as they just did.
A relatively useless UI change over a vital security feature?
Yep. Chess.com be like that.
Also since chess.com does not store or manage any addition (S)/PII other than email, IP, etc, it is not required to enhance or implement advanced security features. No (or at least no known) data breach has ever occurred in chess.com, so I guess they just don't feel the need lol.
Still, it is a vital security feature for any large website. Also, if an attacker broke into a premium members account, and then (for some reason) they decided they wanted a premium chess.com membership, they could gift their account a premium membership, because chess.com stores credit card information. (That is one reason i canceled my platinum plan)
Based on the previous discussions around it, the support requirement around 2FA/MFA makes it highly unlikely to happen.
On the gifting front, it's been a while since I did that but the CC information isn't stored, just the authorization information, as I understand it. I don't know if the process requires a the CCID on a gift, but I would assume it's required, which would prevent unauthorized gifts.
In order for Chess.com users to keep their accounts secure, it is imperative that Chess.com implements an optional 2FA feature.