Tell HN: Twitter does not require 2FA to disable 2FA
Basically what the title says. Navigate to account/settings/security/2FA. You can disable 2FA without needing to authenticate (via 2FA) first.
I've never experienced this with any service that supports 2FA. All other 2FA services that I've ever used will not allow users to disable 2FA without first proving identity via 2FA.
(I recognize that 2FA is fallible. I am not arguing that it is perfect. But, if you're going enable 2FA auth, you should try to do it correctly.) Edit: This is shockingly the case with Google as well. Every other major service provider seems to require re-authentication prior to disabling 2FA. So you log in with 2fa and then remove 2fa? Can't test as I don't use SoMe outside HN. Correct. Perhaps I'm being pedantic but my past experience has been to log in via 2FA, update settings to disable 2FA, then authenticate via 2FA one final time before it is finally turned off. This has held true across many services.