
Tell HN: Twitter does not require 2FA to disable 2FA - mikekoscinski
Basically what the title says. Navigate to account&#x2F;settings&#x2F;security&#x2F;2FA. You can disable 2FA without needing to authenticate (via 2FA) first.<p>I&#x27;ve never experienced this with <i></i>any<i></i> service that supports 2FA. All other 2FA services that I&#x27;ve ever used will not allow users to disable 2FA without first proving identity via 2FA.<p>(I recognize that 2FA is fallible. I am not arguing that it is perfect. But, if you&#x27;re going enable 2FA auth, you should try to do it correctly.)
======
mikekoscinski
Edit: This is shockingly the case with Google as well. Every other major
service provider seems to require re-authentication prior to disabling 2FA.

------
Dahoon
So you log in with 2fa and then remove 2fa? Can't test as I don't use SoMe
outside HN.

~~~
mikekoscinski
Correct. Perhaps I'm being pedantic but my past experience has been to log in
via 2FA, update settings to disable 2FA, then authenticate via 2FA one final
time before it is finally turned off. This has held true across many services.

