Chess.com MUST Implement 2-Factor Authentication

MAJOR UPDATE!!!

Lichess.org offers 2FA! This means lichess is far superior to chess.com in terms of security, despite chess.com being a paid site. I suggest that chess.com implement 2FA very soon in order to keep up with the (free) competition.

um, hello?

As far as I'm aware there are still no plans to add the feature.

According to a forum post I saw, Lichess only offers two factor security for cell phone users.

PC users without cell phones are unable to sign up for it. but receive "unending requests to enable two factor authenification..."

The forum post I read said that Lichess doesn't offer functional support, so the many people who have problems with it are on their own.

/ Sounds like the kind of hassle that most people gladly do without.

/ https://lichess.org/forum/lichess-feedback/unending-requests-to-enable-two-factor-authentication-on-my-cell-phone-but-i-dont-have-one#1

I use linux, but i enabled 2FA, so, i dont know how it is "only for phone users". Plus, that would still be better than chess.com's method. which is nothing.

also, like a said, it would be opt-IN

Here is a scenario:

A titled player’s account password gets leaked, say, in a data breach from another website, and then an attacker uses a credential stuffing attack to log in to this titled player’s account. This attacker could post links to “chess learning websites” that actually steal a user’s information. They could also play a lot of games on this titled player’s account, losing them lots of elo points.

Many titled players could be targets for attackers who wish to use high-profile accounts for phishing. This risk is very real.

There are 2 possibilities:

1 - Chess.com has an option for titled players to enable 2FA. In this case, Chess.com is not allowing us to use readily available security feature for no reason. This would be plain stupid.

2 - Chess.com does not allow for titled players to enable 2FA. What this would mean is that they simply do not care about both their regular users and titled players enough to protect them from very real threats. This is simply unacceptable.

What this means is that, in any case, Chess.com not letting us use 2FA for our accounts is simply absurd.

Note:

Chess.com admins actually have 2FA enabled for their accounts. What this means is that the digital infrastructure that Chess.com needs to allow players to enable 2FA already exists (at least partially), giving them no reason not to allow us to use this vital security feature.

I agree 100%. And better still, if 2FA was implemented they could actually have an effective means of keeping fair play violators etc. off the platform damn near permanently.

I would actually pay premium on chess.com if I meant I only, ONLY, played 2FA accounts rather than the cesspit of <1 month old users.

2FA would be optional, so how would it eliminate cheaters?

Because if they were banned for a fair play violation, it would log the 2FA to see that another account couldn't be registered under the same phone number.

Activision did it with COD.

Of course, it didn't eliminate cheating, but it effectively required cheaters to have to go to the effort of not just buying another copy of the game, but also registering a new account, with a brand new 2FA phone number.

Making a new account on chess.com is easy. Getting a new phone number to verify it?... Not so much.

But I’m saying an authenticator app, not SMS 2FA

How much of an improvement would transitioning to passkeys be? Passkeys replace passwords completely. Since passkeys are tied to a specific device, like a phone, it would make bans more effective since a banned user would not be able to simply create a new account, but would have to use a completely new device with a new passkey.

But then what happens if that person wants to log in on another device?

they just need their 2fa device with them, because TOTP codes can be used on any device