Spotify Community

You kid me not spotify. What are you doing all day long? Eating Doritos and collecting belly button lint? Get your act together. It doesn't seem like you want people to pay for your services. You've grown out of your mind and become an ignorant behemoth. So this is what we pay for? Three years of waiting plus five years of maybe considering to look into it? Come on, you can't be worse than literally any other tech company on earth? Or is it your goal?

More than 7 years and MFA still not implemented? Like HiFi.

Spotify really is a joke.

Would be great. Some times my account is being used by someone that I still can't figure out who it is (each time it happens I have to change passwrods and delete a lot of playlists that aren't mine. Happened 3 times by now).
I weared that spotify wants to keep the app as simple as posible, but at least make the 2-Factor Authentication as an optional feature for users.

It's been since 2018 someone from Spotify has responded and it's disheartening that nothing has been done these years, not even text authentication.  I'm trying SO hard to resist going to that OTHER fruity music service since everything there is secure, but I love Spotify better.  PlEaSe, Spotify, let's get MFA done, with options for either text auth. or by an authenticator app like Authy.  Please make 2023 safer for your customers.  Thanks!

• It is now 8 years after user ThomasVH created this Live Idea Community post and Spotify still lacks MFA as a security feature for its users' accounts.
• As of Q3, 2022, there are 456 million total Monthly Active Users on this platform (Source).
• This Spotify Support article both makes a false claim: ("Our platform and user records are secure") and dodges accountability in one sentence ("sometimes breaches on other services means [sic] someone else may log into your Spotify account."

As a cybersecurity professional, I am flabbergasted. Spotify holds a vast amount of personally identifiable customer information and is beholden to shareholders. How do they explain this lack of modern security to investors? Who is accountable for this decision?

@mychaelconnolly

I totally agree.

Multi-factor authentication adds an additional layer of security to the login process by requiring users to provide two or more forms of identification, such as a password and a fingerprint or a password and a one-time code sent to a phone. This makes it much more difficult for hackers to gain unauthorized access to user accounts, as they would need to have access to multiple forms of identification.

A company with hundreds of millions of users that does not use multi-factor authentication is at a higher risk of security breaches, as hackers may be able to gain access to a large number of user accounts with just a single set of login credentials. This not only puts the company's reputation at risk, but also the personal information and data of its users. Additionally, the company could also be liable for any financial losses or damages suffered by users as a result of the security breach.

There are several laws and regulations that may require companies to use multi-factor authentication, depending on the industry and location.

In the United States, the Payment Card Industry Data Security Standard (PCI DSS) requires multi-factor authentication for remote access to cardholder data by employees, as well as for certain types of transactions, such as those made with a card that is not present.

In the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities and their business associates implement technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). This may include multi-factor authentication for remote access to ePHI.

In the European Union, the General Data Protection Regulation (GDPR) requires companies to implement appropriate technical and organizational measures to protect personal data, including using multi-factor authentication where appropriate.

Additionally, there are other laws and regulations, such as the New York State Department of Financial Services (NYDFS) Cybersecurity Regulation, that requires multi-factor authentication for certain types of transactions, such as those involving banking and financial services.

Spotify, as a streaming service provider, may not be subject to the same laws and regulations as a company in the financial or healthcare industry. However, it still collects and stores personal information of its users, such as their name, email address, and listening history. Therefore, it's important for Spotify to implement appropriate security measures to protect this personal information, including multi-factor authentication, to protect the integrity and confidentiality of their user's data.

Spotify also accepts payment for its premium services, so they could be considered a company who handle payment information and they would be subject to the Payment Card Industry Data Security Standard (PCI DSS) which requires multi-factor authentication for remote access to cardholder data by employees, as well as for certain types of transactions, such as those made with a card that is not present.

While Spotify may not be subject to the same specific laws and regulations as a company in a heavily regulated industry, it is still responsible for protecting the personal information of its users and should consider implementing multi-factor authentication as a best practice for ensuring the security of user accounts.

Ignoring customer demand for a security feature such as multi-factor authentication for an extended period of time could be seen as a lack of concern for the security and privacy of their users. This could be considered bad conduct of service, as it suggests that the company is not taking the necessary steps to protect its users' personal information.

It's important for companies to stay up-to-date with industry best practices for security, and to respond to customer demand for features that can help protect their personal information. In this case, if Spotify has ignored customer demand for multi-factor authentication for an extended period of time, it could be perceived as a disregard for the security and privacy of their users.

Regardless, if Spotify has ignored customer demand for multi-factor authentication for over 8 years, it is highly recommended that they consider implementing this feature as soon as possible to ensure the security and privacy of their users.

Customers who are concerned about the lack of multi-factor authentication on Spotify's platform may have several legal options available to them. However, it is important to note that the specific legal options available will depend on the laws and regulations in the jurisdiction in which the customer resides, as well as the specific circumstances surrounding the case.

It's also worth mentioning that customers can  express their dissatisfaction and demand for this feature through social media, customer support and other communication channels, to put pressure on the company to implement this feature. But since this has been done now for 8 years maybe some would consider the following:

One option available to customers is to file a complaint with the relevant regulatory body or government agency. For example, in the United States, customers may file a complaint with the Federal Trade Commission (FTC) if they believe that Spotify has engaged in unfair or deceptive business practices.

Another option is to take legal action against Spotify. Customers may be able to file a lawsuit against the company for a failure to provide reasonable security measures to protect their personal information. This would require proving that Spotify had a duty to protect their personal information, that Spotify failed to fulfill that duty, and that this failure caused the customer to suffer some sort of harm.

Additionally, customers can also consider taking collective legal action with a class action lawsuit. This is when a large number of people sue a company together, and can be a more efficient way to pursue legal action.

It's important to consult with legal professionals to understand the specific legal options available in your jurisdiction and circumstances.

This reasonable feature request is now eight years old!
🎂🎂🎂🎂🎂🎂🎂🎂

I look forward to MFA being implemented sometime before Spotify reaches the age of majority.
Or before it goes the way of Myspace, whichever happens first.

This request is literally eight years old. How is Spotify still not able to give us this? Why should anyone continue to pay for such a cheap app that can't implement even the most basic features?

For myself I’ll give Spotify 7 months. No MFA, the I cut the service and go with the Fruity Co. I’m time for the holidays. At the very least they care about security. The only thing I’ll miss is the crossfade feature 😞