Twitch is the world’s leading social video platform and community for gamers, video game culture, and the creative arts. Each day, close to 10 million active users gather to watch and talk about video games with more than two million streamers. With an audience this passionate and active, keeping accounts secure with a minimum of friction is the top priority for Twitch. That’s why they chose Twilio’s Authy 2FA.
> Watch this video to hear how Twitch.tv assessed critical UX requirements to integrate minimum-friction 2FA security into their platform.
Founded In 2011, Twitch is more than a viewer experience, it’s social video. Twitch uses audio and chat to enable streamers and their audiences to interact in real-time about everything from gaming and pop culture to life in general.
For the millions of people who come to Twitch every single day to interact around shared passions, trust is imperative. “We take our community very seriously,” said Twitch product manager Sudesh Peram. “We have two types of users: people who create the content, and people who consume the content. Our content creators actually make their livings by broadcasting on our platform, so security is a priority for us as people’s livelihoods depend on it.”
Parem continued, “Twitch is a much more serious platform than what it was ten years ago. That’s why security is so critical to us. Top broadcasters can make hundreds of thousands of dollars a year, and the pressure is on them to continually broadcast. If they don’t, they lose viewers and money. This is where security comes in. We want broadcasters to post content on time and keep their viewership.”
Another critical reason for errorless security on Twitch is to safeguard user identities. “Most of our users have alternate identities,” said Parem. “When a user goes on Twitch with their alternate identity, they feel like they can live that identity in the gaming world. We take it seriously. Users must absolutely trust our platform.”
To protect their users’ identities, Twitch relies on a gated ID system and Authy two-factor authentication. “Any platform with this volume and scale is prime for user account vulnerability,” Parem explained, “so we knew we needed to keep our users safe from things like account hijacking and password theft even if it causes friction to login. The benefits outweigh the hassles.”
Before they integrated 2FA into their platform, however, the Twitch team had a big decision to make: should they build or buy? They knew they could build their own security system, but it would be a massive undertaking in cost and resourcing, from development and integration, making the solution scale, and above all, keeping it reliable. Parem noted, “Building our own 2FA was not core to our business. We didn’t want to spend an inordinate amount of time doing all of this when we knew there were customizable solutions on the market already.”
Decision made, the team then examined their priorities and established criteria to identify the right solution provider. Reliability, multi-platform support, self-service, and customer support were all critical criteria for consideration. “We have users across all different types of platforms, including a large presence in Android and iOS. Our broadcasters are on PCs or Macs. So we needed a solution that worked across all platforms,” said Parem.
Self-service was another deciding factor. “We don’t want our users to get locked out. If they lose their phone, they should be able to use their desktop. Every time we get a customer support call, it costs us money and time to process, and sometimes we can’t get to it immediately, so we don’t want our users to be helpless.”
Twitch landed on Twilio’s Authy 2FA service as the right fit. “Authy met all of our criteria. We’re happy with the multi-platform and self-service. I’ve used self-service myself; it is really easy to reset my phone and use my new phone right away,” said Parem.
Implementation was much easier than Twitch thought it would be. “We did a pilot on staff accounts for a few months, tested it, and felt comfortable with it. The real fun was when we started building it for regular products, as in Twitch.tv.” According to Parem, Authy 2FA was the easiest product he’s ever used in terms of APIs. It only took a few days to get the product up for proof of concept, and from there was up platform-wide a few weeks.
Parem and team also like Authy’s documentation, customer service, and other developer resources. “We didn’t need them, but we were glad to know they were there,” he said.
Parem has some solid advice for other product managers weighing security solutions: “Twitch is a service that scaled to hundreds of millions of users in a fairly short period. No matter the size of your platform, build 2FA as soon as you onboard. The first time an account gets hacked and the user complains on Twitter, that’s it for your company. When you see how a breach can impact your bottom line, that’s when you take it seriously.”
He recommends that platforms integrate 2FA as part of the normal user flow when they’re setting up the new experience. “Try to optimize for the easiest possible sign up. Adding another layer will always be a challenge, but when you reach critical mass and have millions and millions of users, you want your system to be stable and your community to be safe.”
There’s no good excuse not to have 2FA. Security should not be an afterthought. Plan for it.
Twitch is actively focused on increasing 2FA adoption among their broadcasters. And reducing friction for their users is always top of mind. “We like the concept of Authy One Touch. Our users login daily, and we’d rather they only have one request come in to accept or deny. That makes it much easier than looking at a code and typing it in every day, .” explained Parem. “When they see how easy it was for us to set up, and they see the added security and user benefits, they’ll start using it too.”